======================================= Sat, 18 Jul 2020 - Debian 9.13 released ======================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:54:01 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: linux-headers-4.9.0-12-all | 4.9.210-1+deb9u1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:54:30 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: ata-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 btrfs-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 cdrom-core-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 crc-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 crypto-dm-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 crypto-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 efi-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 event-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 ext4-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 fat-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 fb-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 fuse-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 i2c-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 input-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 isofs-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 jfs-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 kernel-image-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 leds-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 linux-headers-4.9.0-12-all-arm64 | 4.9.210-1+deb9u1 | arm64 linux-headers-4.9.0-12-arm64 | 4.9.210-1+deb9u1 | arm64 linux-image-4.9.0-12-arm64 | 4.9.210-1+deb9u1 | arm64 linux-image-4.9.0-12-arm64-dbg | 4.9.210-1+deb9u1 | arm64 loop-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 md-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 mmc-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 multipath-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 nbd-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 nic-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 nic-shared-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 nic-usb-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 nic-wireless-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 ppp-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 sata-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 scsi-core-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 scsi-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 squashfs-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 udf-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 uinput-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 usb-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 usb-storage-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 virtio-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 xfs-modules-4.9.0-12-arm64-di | 4.9.210-1+deb9u1 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:54:39 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: btrfs-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel cdrom-core-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel crc-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel crypto-dm-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel crypto-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel event-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel ext4-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel fat-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel fb-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel fuse-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel input-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel ipv6-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel isofs-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel jffs2-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel jfs-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel kernel-image-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel leds-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel linux-headers-4.9.0-12-all-armel | 4.9.210-1+deb9u1 | armel linux-headers-4.9.0-12-marvell | 4.9.210-1+deb9u1 | armel linux-image-4.9.0-12-marvell | 4.9.210-1+deb9u1 | armel linux-image-4.9.0-12-marvell-dbg | 4.9.210-1+deb9u1 | armel loop-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel md-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel minix-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel mmc-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel mouse-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel mtd-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel multipath-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel nbd-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel nic-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel nic-shared-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel nic-usb-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel ppp-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel sata-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel scsi-core-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel squashfs-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel udf-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel uinput-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel usb-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel usb-serial-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel usb-storage-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel zlib-modules-4.9.0-12-marvell-di | 4.9.210-1+deb9u1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:55:04 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: ata-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf btrfs-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf crc-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf crypto-dm-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf crypto-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf efi-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf event-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf ext4-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf fat-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf fb-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf fuse-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf i2c-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf input-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf isofs-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf jfs-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf kernel-image-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf leds-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf linux-headers-4.9.0-12-all-armhf | 4.9.210-1+deb9u1 | armhf linux-headers-4.9.0-12-armmp | 4.9.210-1+deb9u1 | armhf linux-headers-4.9.0-12-armmp-lpae | 4.9.210-1+deb9u1 | armhf linux-image-4.9.0-12-armmp | 4.9.210-1+deb9u1 | armhf linux-image-4.9.0-12-armmp-dbg | 4.9.210-1+deb9u1 | armhf linux-image-4.9.0-12-armmp-lpae | 4.9.210-1+deb9u1 | armhf linux-image-4.9.0-12-armmp-lpae-dbg | 4.9.210-1+deb9u1 | armhf loop-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf md-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf mmc-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf mtd-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf multipath-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf nbd-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf nic-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf nic-shared-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf nic-usb-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf nic-wireless-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf pata-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf ppp-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf sata-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf scsi-core-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf scsi-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf squashfs-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf udf-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf uinput-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf usb-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf usb-storage-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf virtio-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf zlib-modules-4.9.0-12-armmp-di | 4.9.210-1+deb9u1 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:55:14 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: acpi-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 acpi-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 ata-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 ata-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 btrfs-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 btrfs-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 cdrom-core-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 cdrom-core-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 crc-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 crc-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 crypto-dm-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 crypto-dm-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 crypto-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 crypto-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 efi-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 efi-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 event-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 event-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 ext4-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 ext4-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 fat-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 fat-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 fb-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 fb-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 firewire-core-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 firewire-core-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 fuse-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 fuse-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 hyperv-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 hyperv-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 i2c-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 i2c-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 input-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 input-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 isofs-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 isofs-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 jfs-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 jfs-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 kernel-image-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 kernel-image-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 linux-headers-4.9.0-12-686 | 4.9.210-1+deb9u1 | i386 linux-headers-4.9.0-12-686-pae | 4.9.210-1+deb9u1 | i386 linux-headers-4.9.0-12-all-i386 | 4.9.210-1+deb9u1 | i386 linux-headers-4.9.0-12-rt-686-pae | 4.9.210-1+deb9u1 | i386 linux-image-4.9.0-12-686 | 4.9.210-1+deb9u1 | i386 linux-image-4.9.0-12-686-dbg | 4.9.210-1+deb9u1 | i386 linux-image-4.9.0-12-686-pae | 4.9.210-1+deb9u1 | i386 linux-image-4.9.0-12-686-pae-dbg | 4.9.210-1+deb9u1 | i386 linux-image-4.9.0-12-rt-686-pae | 4.9.210-1+deb9u1 | i386 linux-image-4.9.0-12-rt-686-pae-dbg | 4.9.210-1+deb9u1 | i386 loop-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 loop-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 md-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 md-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 mmc-core-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 mmc-core-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 mmc-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 mmc-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 mouse-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 mouse-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 multipath-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 multipath-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 nbd-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 nbd-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 nic-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 nic-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 nic-pcmcia-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 nic-pcmcia-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 nic-shared-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 nic-shared-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 nic-usb-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 nic-usb-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 nic-wireless-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 nic-wireless-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 ntfs-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 ntfs-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 pata-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 pata-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 pcmcia-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 pcmcia-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 pcmcia-storage-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 pcmcia-storage-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 ppp-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 ppp-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 sata-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 sata-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 scsi-core-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 scsi-core-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 scsi-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 scsi-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 serial-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 serial-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 sound-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 sound-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 speakup-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 speakup-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 squashfs-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 squashfs-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 udf-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 udf-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 uinput-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 uinput-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 usb-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 usb-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 usb-serial-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 usb-serial-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 usb-storage-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 usb-storage-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 virtio-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 virtio-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 xfs-modules-4.9.0-12-686-di | 4.9.210-1+deb9u1 | i386 xfs-modules-4.9.0-12-686-pae-di | 4.9.210-1+deb9u1 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:55:33 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: affs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel btrfs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel crc-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel crypto-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel event-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel ext4-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel fat-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel fuse-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel hfs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel input-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel isofs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel jfs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel kernel-image-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel linux-headers-4.9.0-12-5kc-malta | 4.9.210-1+deb9u1 | mips, mips64el, mipsel linux-headers-4.9.0-12-octeon | 4.9.210-1+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-12-5kc-malta | 4.9.210-1+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-12-5kc-malta-dbg | 4.9.210-1+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-12-octeon | 4.9.210-1+deb9u1 | mips, mips64el, mipsel linux-image-4.9.0-12-octeon-dbg | 4.9.210-1+deb9u1 | mips, mips64el, mipsel loop-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel md-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel minix-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel multipath-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel nbd-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel nic-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel nic-shared-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel nic-usb-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel ntfs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel pata-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel ppp-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel rtc-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel sata-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel scsi-core-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel scsi-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel sound-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel squashfs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel udf-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel usb-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel usb-serial-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel usb-storage-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel virtio-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel xfs-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel zlib-modules-4.9.0-12-octeon-di | 4.9.210-1+deb9u1 | mips, mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:55:55 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: affs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel ata-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel btrfs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel cdrom-core-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel crc-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel crypto-dm-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel crypto-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel event-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel ext4-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel fat-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel fuse-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel hfs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel i2c-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel input-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel isofs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel jfs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel kernel-image-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel linux-headers-4.9.0-12-4kc-malta | 4.9.210-1+deb9u1 | mips, mipsel linux-image-4.9.0-12-4kc-malta | 4.9.210-1+deb9u1 | mips, mipsel linux-image-4.9.0-12-4kc-malta-dbg | 4.9.210-1+deb9u1 | mips, mipsel loop-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel md-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel minix-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel mmc-core-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel mmc-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel mouse-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel multipath-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel nbd-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel nic-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel nic-shared-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel nic-usb-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel nic-wireless-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel ntfs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel pata-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel ppp-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel sata-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel scsi-core-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel scsi-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel sound-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel squashfs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel udf-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel usb-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel usb-serial-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel usb-storage-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel virtio-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel xfs-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel zlib-modules-4.9.0-12-4kc-malta-di | 4.9.210-1+deb9u1 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:56:16 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: affs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el ata-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el btrfs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el cdrom-core-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el crc-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el crypto-dm-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el crypto-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el event-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el ext4-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el fat-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el fuse-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el hfs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el i2c-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el input-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el isofs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el jfs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el kernel-image-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el linux-headers-4.9.0-12-all-mips64el | 4.9.210-1+deb9u1 | mips64el loop-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el md-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el minix-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el mmc-core-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el mmc-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el mouse-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el multipath-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el nbd-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el nic-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el nic-shared-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el nic-usb-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el nic-wireless-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el ntfs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el pata-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el ppp-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el sata-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el scsi-core-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el scsi-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el sound-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el squashfs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el udf-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el usb-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el usb-serial-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el usb-storage-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el virtio-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el xfs-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el zlib-modules-4.9.0-12-5kc-malta-di | 4.9.210-1+deb9u1 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:56:34 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: affs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel ata-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel btrfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel cdrom-core-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel crc-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel crypto-dm-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel crypto-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel event-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel ext4-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel fat-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel fb-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel firewire-core-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel fuse-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel hfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel input-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel isofs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel jfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel kernel-image-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel linux-headers-4.9.0-12-loongson-3 | 4.9.210-1+deb9u1 | mips64el, mipsel linux-image-4.9.0-12-loongson-3 | 4.9.210-1+deb9u1 | mips64el, mipsel linux-image-4.9.0-12-loongson-3-dbg | 4.9.210-1+deb9u1 | mips64el, mipsel loop-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel md-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel minix-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel multipath-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel nbd-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel nfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel nic-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel nic-shared-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel nic-usb-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel nic-wireless-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel ntfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel pata-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel ppp-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel sata-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel scsi-core-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel scsi-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel sound-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel speakup-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel squashfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel udf-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel usb-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel usb-serial-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel usb-storage-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel virtio-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel xfs-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel zlib-modules-4.9.0-12-loongson-3-di | 4.9.210-1+deb9u1 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:56:42 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: linux-headers-4.9.0-12-all-mipsel | 4.9.210-1+deb9u1 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:56:57 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: ata-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el btrfs-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el cdrom-core-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el crc-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el crypto-dm-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el crypto-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el event-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el ext4-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el fancontrol-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el fat-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el firewire-core-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el fuse-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el hypervisor-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el input-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el isofs-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el jfs-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el kernel-image-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el linux-headers-4.9.0-12-all-ppc64el | 4.9.210-1+deb9u1 | ppc64el linux-headers-4.9.0-12-powerpc64le | 4.9.210-1+deb9u1 | ppc64el linux-image-4.9.0-12-powerpc64le | 4.9.210-1+deb9u1 | ppc64el linux-image-4.9.0-12-powerpc64le-dbg | 4.9.210-1+deb9u1 | ppc64el loop-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el md-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el mouse-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el multipath-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el nbd-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el nic-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el nic-shared-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el ppp-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el sata-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el scsi-core-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el scsi-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el serial-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el squashfs-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el udf-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el uinput-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el usb-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el usb-serial-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el usb-storage-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el virtio-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el xfs-modules-4.9.0-12-powerpc64le-di | 4.9.210-1+deb9u1 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:57:30 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: acpi-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 ata-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 btrfs-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 cdrom-core-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 crc-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 crypto-dm-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 crypto-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 efi-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 event-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 ext4-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 fat-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 fb-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 firewire-core-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 fuse-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 hyperv-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 i2c-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 input-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 isofs-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 jfs-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 kernel-image-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 linux-headers-4.9.0-12-all-amd64 | 4.9.210-1+deb9u1 | amd64 linux-headers-4.9.0-12-amd64 | 4.9.210-1+deb9u1 | amd64 linux-headers-4.9.0-12-rt-amd64 | 4.9.210-1+deb9u1 | amd64 linux-image-4.9.0-12-amd64 | 4.9.210-1+deb9u1 | amd64 linux-image-4.9.0-12-amd64-dbg | 4.9.210-1+deb9u1 | amd64 linux-image-4.9.0-12-rt-amd64 | 4.9.210-1+deb9u1 | amd64 linux-image-4.9.0-12-rt-amd64-dbg | 4.9.210-1+deb9u1 | amd64 loop-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 md-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 mmc-core-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 mmc-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 mouse-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 multipath-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 nbd-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 nic-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 nic-pcmcia-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 nic-shared-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 nic-usb-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 nic-wireless-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 ntfs-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 pata-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 pcmcia-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 pcmcia-storage-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 ppp-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 sata-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 scsi-core-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 scsi-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 serial-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 sound-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 speakup-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 squashfs-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 udf-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 uinput-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 usb-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 usb-serial-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 usb-storage-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 virtio-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 xfs-modules-4.9.0-12-amd64-di | 4.9.210-1+deb9u1 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:57:43 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: btrfs-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x crc-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x crypto-dm-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x crypto-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x dasd-extra-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x dasd-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x ext4-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x fat-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x fuse-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x isofs-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x kernel-image-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x linux-headers-4.9.0-12-all-s390x | 4.9.210-1+deb9u1 | s390x linux-headers-4.9.0-12-s390x | 4.9.210-1+deb9u1 | s390x linux-image-4.9.0-12-s390x | 4.9.210-1+deb9u1 | s390x linux-image-4.9.0-12-s390x-dbg | 4.9.210-1+deb9u1 | s390x loop-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x md-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x multipath-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x nbd-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x nic-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x scsi-core-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x scsi-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x udf-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x virtio-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x xfs-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x zlib-modules-4.9.0-12-s390x-di | 4.9.210-1+deb9u1 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:58:20 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: linux-headers-4.9.0-12-all-mips | 4.9.210-1+deb9u1 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:58:37 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: linux-headers-4.9.0-12-common | 4.9.210-1+deb9u1 | all linux-headers-4.9.0-12-common-rt | 4.9.210-1+deb9u1 | all linux-support-4.9.0-12 | 4.9.210-1+deb9u1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:28:11 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: profphd | 1.0.42-1 | source, all Closed bugs: 898826 ------------------- Reason ------------------- RoM; unusable ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:28:37 -0000] [ftpmaster: Mark Hymers] Removed the following packages from oldstable: python-weboob | 1.2-1 | all python-weboob-core | 1.2-1 | all weboob | 1.2-1 | source, all weboob-qt | 1.2-1 | all Closed bugs: 905385 ------------------- Reason ------------------- RoM; unmaintained; already removed from later releases ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:29:02 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: simpleid | 0.8.1-15 | source, all Closed bugs: 929871 ------------------- Reason ------------------- RoM; does not work with PHP7 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:29:36 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr | 60.9.0esr-1~deb9u1 | armel Closed bugs: 952647 ------------------- Reason ------------------- RoQA; version 68+ no longer supported on armel ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:29:58 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr | 52.9.0esr-1~deb9u1 | mips, mips64el, mipsel Closed bugs: 952648 ------------------- Reason ------------------- RoQA; missing B-D/FTBFS ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:30:16 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libperlspeak-perl | 2.01-2 | source, all Closed bugs: 954299 ------------------- Reason ------------------- RoST; unmaintained; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:31:43 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: enigmail | 2:2.0.8-5~deb9u1 | source, all Closed bugs: 956701 ------------------- Reason ------------------- RoQA; incompatible with stretch's thunderbird ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:32:00 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: yahoo2mbox | 0.24-2 | source, all Closed bugs: 958573 ------------------- Reason ------------------- RoQA; unusable since 2013 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:32:26 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: kerneloops | 0.12+git20140509-6 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x kerneloops-applet | 0.12+git20140509-6 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 958576 ------------------- Reason ------------------- RoQA; service http://oops.kernel.org no longer available ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:32:45 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: quotecolors | 0.3-4 | source xul-ext-quotecolors | 0.3-4 | all Closed bugs: 958923 ------------------- Reason ------------------- RoM; incompatible with newer Thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:33:04 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: torbirdy | 0.2.1-1 | source xul-ext-torbirdy | 0.2.1-1 | all Closed bugs: 959377 ------------------- Reason ------------------- RoQA; incompatible with newer Thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:33:25 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libmicrodns | 0.0.3-3 | source libmicrodns-dev | 0.0.3-3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libmicrodns0 | 0.0.3-3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 959430 ------------------- Reason ------------------- RoM; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:33:47 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: getlive | 2.4+cvs20120801-1 | source, all Closed bugs: 959492 ------------------- Reason ------------------- RoQA; Upstream Dead; Not Working Anymore ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:34:05 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefoxdriver | 2.53.2-3 | amd64, i386 selenium-firefoxdriver | 2.53.2-3 | source Closed bugs: 960586 ------------------- Reason ------------------- RoQA; does not support firefox beyond 52.0 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:34:25 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: pdns-recursor | 4.0.4-1+deb9u4 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 961270 ------------------- Reason ------------------- RoM; unsupported ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:34:44 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: certificatepatrol | 2.0.14-5 | source xul-ext-certificatepatrol | 2.0.14-5 | all Closed bugs: 961515 ------------------- Reason ------------------- ROM; No longer usable after xul deprecation, dead upstream ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:35:01 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: dynalogin | 1.0.0-3 | source dynalogin-client-php | 1.0.0-3 | all dynalogin-server | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libdynalogin-1-0 | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libdynaloginclient-1-0 | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libpam-dynalogin | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x simpleid-store-dynalogin | 1.0.0-3 | all Closed bugs: 964216 ------------------- Reason ------------------- RoQA; depends on to-be-removed simpleid ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:35:19 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: simpleid-ldap | 1.0.1-2 | source, all Closed bugs: 964217 ------------------- Reason ------------------- RoQA; depends on to-be-removed simpleid ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:35:35 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: predictprotein | 1.1.07-2 | source, all Closed bugs: 964316 ------------------- Reason ------------------- RoM; depends on to-be-removed profphd ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:35:51 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: colorediffs-extension | 0.6.2012.01.27.14.07.45-1 | source xul-ext-colorediffs | 0.6.2012.01.27.14.07.45-1 | all Closed bugs: 964331 ------------------- Reason ------------------- RoQA; incompatible with newer Thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:36:12 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: fonts-mathematica | 20 | all mathematica-fonts | 20 | source, all Closed bugs: 964342 ------------------- Reason ------------------- RoQA; relies on unavailable download location ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 18 Jul 2020 09:36:28 -0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: gplaycli | 0.2.1-1 | source, all Closed bugs: 964883 ------------------- Reason ------------------- RoQA; broken by Google API changes ---------------------------------------------- ========================================================================= ant (1.9.9-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * arbitrary file write vulnerability and arbitrary code execution using a specially crafted zip file (CVE-2018-10886) + unzip and friends could monitor where they write more closely + forgot to update the manual + and forgot two words + change stripAbsolutePathSpec's default + add additional isLeadingPath method that resolves symlinks + take symlinks into account when expanding archives and checking entries * Add NEWS.Debian file to document possibly breaking changes * Adjust versions to Debian version for the CVE-2018-10886 changes in documentation. apache-log4j1.2 (1.2.17-7+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2019-17571. (Closes: #947124) Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. apt (1.4.10) stretch-security; urgency=high . * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177) - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated member names in error path - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated member names in error path - CVE-2020-3810 * Fix-up size in 1.4.9 security fix test case * Add .gitlab-ci.yml for CI testing on Salsa atril (1.16.1-2+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * dvi: Mitigate command injection attacks by quoting filename (CVE-2017-1000159) * Fix overflow checks in tiff backend (CVE-2019-1010006) * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459) awl (0.57-1+deb9u1) stretch-security; urgency=high . * Fix two security vulnerablilites (closes: #956650) + CVE-2020-11728 "Session::__construct() allows use of the current time as a session key" + CVE-2020-11729 "LSIDLogin() is insecure and can allow user impersonation" bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium . [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. . [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) base-files (9.9+deb9u13) stretch; urgency=medium . * Change /etc/debian_version to 9.13, for Debian 9.13 point release. batik (1.8-4+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * CVE-2019-17566: Server-side request forgery via xlink:href attributes. (Closes: #964510) bind9 (1:9.10.3.dfsg.P4-12.3+deb9u6) stretch-security; urgency=medium . * [CVE-2020-8616]: Fix NXNSATTACK amplification attack on BIND 9 * [CVE-2020-8617]: Fix assertion failure in TSIG processing code bluez (5.43-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address INTEL-SA-00352 (CVE-2020-0556) (Closes: #953770) - HOGP must only accept data from bonded devices - HID accepts bonded device connections only * input: hog: Attempt to set security level if not bonded * input: Add LEAutoSecurity setting to input.conf c-icap-modules (1:0.4.4-1+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Backport support for ClamAV 0.102. (Closes: #952009) ca-certificates (20200601~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Merge changes from 20200601 - d/control * This release updates the Mozilla CA bundle to 2.40, blacklists distrusted Symantec roots, and blacklists expired "AddTrust External Root". Closes: #956411, #955038, #911289, #961907 * Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 * Remove email-only roots from mozilla trust store. Closes: #721976 ca-certificates (20190110) unstable; urgency=high . * debian/control: Depend on openssl (>= 1.1.1). Set Standards-Version: 4.3.0.1. Set Build-Depends: debhelper-compat (= 12); drop d/compat Remove trailing whitespace from d/changelog. * debian/ca-certificates.postinst: Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 * sbin/update-ca-certificates: Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl rehash` from exiting with an error. Closes: #895482, #895473 This will also fix removal of user CA certificates from /usr/local without needing to run --fresh. Closes: #911303 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.28. The following certificate authorities were added (+): + "GlobalSign Root CA - R6" + "OISTE WISeKey Global Root GC CA" The following certificate authorities were removed (-): - "Certplus Root CA G1" - "Certplus Root CA G2" - "OpenTrust Root CA G1" - "OpenTrust Root CA G2" - "OpenTrust Root CA G3" - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" - "Visa eCommerce Root" ca-certificates (20180409) unstable; urgency=medium . [ Michael Shuler ] * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.22. The following certificate authorities were added (+): + "GDCA TrustAUTH R5 ROOT" + "SSL.com EV Root Certification Authority ECC" + "SSL.com EV Root Certification Authority RSA R2" + "SSL.com Root Certification Authority ECC" + "SSL.com Root Certification Authority RSA" + "TrustCor ECA-1" + "TrustCor RootCert CA-1" + "TrustCor RootCert CA-2" The following certificate authorities were removed (-): - "ACEDICOM Root" - "AddTrust Low-Value Services Root" - "AddTrust Public Services Root" - "AddTrust Qualified Certificates Root" - "CA Disig Root R1" - "CNNIC ROOT" - "Camerfirma Chambers of Commerce Root" - "Camerfirma Global Chambersign Root" - "Certinomis - Autorité Racine" - "Certum Root CA" - "China Internet Network Information Center EV Certificates Root" - "Comodo Secure Services root" - "Comodo Trusted Services root" - "DST ACES CA X6" - "GeoTrust Global CA 2" - "PSCProcert" - "Security Communication EV RootCA1" - "Swisscom Root CA 1" - "Swisscom Root CA 2" - "Swisscom Root EV CA 2" - "TURKTRUST Certificate Services Provider Root 2007" - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" - "UTN USERFirst Hardware Root CA" * mozilla/blacklist.txt Update blacklist to remove certificates no longer in certdata.txt and explicitly ignore distrusted certificates. * debian/copyright: Fix lintian insecure-copyright-format-uri with https URL. * debian/changelog: Fix lintian file-contains-trailing-whitespace. * debian/{compat,control}: Set to debhelper compat 11. * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop usage of `c_rehash` script. Closes: #895075 . [ Thijs Kinkhorst ] * Remove Christian Perrier from uploaders at his request (closes: #894070). * Checked for policy 4.1.4, no changes. ca-certificates (20170717) unstable; urgency=medium . * Update to Standards-Version: 4.0.1 * debian/ca-certificates.postinst: Prevent postinst failure on read-only /usr/local. Closes: #843722 * mozilla/certdata2pem.py: Remove email-only roots from mozilla trust store. Closes: #721976 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.14. Closes: #858064 The following certificate authorities were added (+): + "AC RAIZ FNMT-RCM" + "Amazon Root CA 1" + "Amazon Root CA 2" + "Amazon Root CA 3" + "Amazon Root CA 4" + "D-TRUST Root CA 3 2013" + "LuxTrust Global Root 2" + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" The following certificate authorities were removed (-): - "AC Raiz Certicamara S.A." - "ApplicationCA - Japanese Government" - "Buypass Class 2 CA 1" - "ComSign CA" - "EBG Elektronik Sertifika Hizmet Saglayicisi" - "Equifax Secure CA" - "Equifax Secure eBusiness CA 1" - "Equifax Secure Global eBusiness CA" - "IGC/A" - "Juur-SK" - "Microsec e-Szigno Root CA" - "Root CA Generalitat Valenciana" - "RSA Security 2048 v3" - "S-TRUST Authentication and Encryption Root CA 2005 PN" - "S-TRUST Universal Root CA" - "SwissSign Platinum CA - G2" - "TC TrustCenter Class 3 CA II" - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" - "UTN USERFirst Email Root CA" - "Verisign Class 1 Public Primary Certification Authority" - "Verisign Class 1 Public Primary Certification Authority - G3" - "Verisign Class 2 Public Primary Certification Authority - G2" - "Verisign Class 2 Public Primary Certification Authority - G3" - "Verisign Class 3 Public Primary Certification Authority" - "WellsSecure Public Root Certificate Authority" checkstyle (6.15-1+deb9u1) stretch; urgency=medium . * Team upload. * Fix CVE-2019-9658 and CVE-2019-10782: Security researchers from Snyk discovered that the fix for CVE-2019-9658 was incomplete. Checkstyle, a development tool to help programmers write Java code that adheres to a coding standard, was still vulnerable to XML External Entity (XXE) injection. (Closes: #924598) chromium (73.0.3683.75-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2019-5787: Use after free in Canvas. Reported by Zhe Jin - CVE-2019-5788: Use after free in FileAPI. Reported by Mark Brand - CVE-2019-5789: Use after free in WebMIDI. Reported by Mark Brand - CVE-2019-5790: Heap buffer overflow in V8. Reported by Dimitri Fourny - CVE-2019-5791: Type confusion in V8. Reported by Choongwoo Han - CVE-2019-5792: Integer overflow in PDFium. Reported by pdknsk - CVE-2019-5793: Excessive permissions for private API in Extensions. Reported by Jun Kokatsu - CVE-2019-5794: Security UI spoofing. Reported by Juno Im of Theori - CVE-2019-5795: Integer overflow in PDFium. Reported by pdknsk - CVE-2019-5796: Race condition in Extensions. Reported by Mark Brand - CVE-2019-5797: Race condition in DOMStorage. Reported by Mark Brand - CVE-2019-5798: Out of bounds read in Skia. Reported by Tran Tien Hung - CVE-2019-5799: CSP bypass with blob URL. Reported by sohalt - CVE-2019-5800: CSP bypass with blob URL. Reported by Jun Kokatsu - CVE-2019-5802: Security UI spoofing. Reported by Ronni Skansing - CVE-2019-5803: CSP bypass with Javascript URLs'. Reported by Andrew Comminos chromium (73.0.3683.56-2) experimental; urgency=medium . * Fix build failure on armhf. chromium (73.0.3683.56-1) experimental; urgency=medium . * New upstream beta release. chromium (73.0.3683.39-1) experimental; urgency=medium . * New upstream beta release. chromium (72.0.3626.122-1) unstable; urgency=medium . * New upstream stable release. chromium (72.0.3626.121-1) unstable; urgency=medium . * New upstream stable release. - CVE-2019-5786: Use-after-free in FileReader chromium (72.0.3626.109-1) unstable; urgency=medium . * New upstream stable release. - CVE-2019-5784: Inappropriate implementation in V8. Reported by Lucas Pinheiro * Build pdfium using system lcms. * Renable support for kerberos (closes: #916684). * Fix 32-bit type error in the vaapi implementation (closes: #921823). chromium (72.0.3626.96-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2019-5784: Inappropriate implementation in V8. Reported by Lucas Pinheiro chromium (72.0.3626.81-1) unstable; urgency=medium . * New upstream stable release. - Stack buffer overflow in Skia. Reported by Ivan Fratric - Use after free in Mojo, FileAPI, and Payments. Reported by Mark Brand - CVE-2018-17481: Use after free in PDFium. Reported by Anonymous - CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad - CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya - CVE-2019-5756: Use after free in PDFium. Reported by Anonymous - CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis - CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin - CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin - CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin - CVE-2019-5762: Use after free in PDFium. Reported by Anonymous - CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong - CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin - CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin - CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg - CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao - CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu - CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel - CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt - CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou - CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang - CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang and Juno Im - CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 - CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang - CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani - CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg - CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg - CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg - CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 - CVE-2019-5782: Inappropriate implementation in V8 reported by Qixun Zhao - CVE-2019-5783: Insufficient validation of untrusted input in DevTools. Reported by Shintaro Kobori * Opt out of all Google web service options by default (closes: #916320). * Enable support for hardware accelerated video decoding (closes: #856255). - Thanks to Akarshan Biswas. chromium (72.0.3626.53-1) unstable; urgency=medium . * New upstream beta release. * Organize the gcc 6 patches. * Update standards version to 4.3.0. * Drop libsrtp from the build dependencies (closes: #918542). chromium (72.0.3626.7-6) unstable; urgency=medium . * Upload to unstable: fix FTBFS on arm64 and armhf chromium (72.0.3626.7-5) experimental; urgency=medium . * Fix armhf and arm64 builds chromium (72.0.3626.7-4) unstable; urgency=medium . * Reenable support for widevine (closes: #916058). * Update maintainer to chromium@packages.debian.org (closes: #915988). chromium (72.0.3626.7-3) unstable; urgency=medium . * Remove unintended extra brace in arm patch. chromium (72.0.3626.7-2) experimental; urgency=medium . * Fix build failures on arm. chromium (72.0.3626.7-1) experimental; urgency=medium . * New upstream developmental release. chromium (71.0.3578.80-1) unstable; urgency=medium . * New upstream stable release. - CVE-2018-17480: Out of bounds write in V8. Reported by Guang Gong - CVE-2018-17481: Use after frees in PDFium. Reported by Anonymous - CVE-2018-18335: Heap buffer overflow in Skia. Reported by Anonymous - CVE-2018-18336: Use after free in PDFium. Reported by Huyna - CVE-2018-18337: Use after free in Blink. Reported by cloudfuzzer - CVE-2018-18338: Heap buffer overflow in Canvas. Reported by Zhe Jin - CVE-2018-18339: Use after free in WebAudio. Reported by cloudfuzzer - CVE-2018-18340: Use after free in MediaRecorder. Reported by Anonymous - CVE-2018-18341: Heap buffer overflow in Blink. Reported by cloudfuzzer - CVE-2018-18342: Out of bounds write in V8. Reported by Guang Gong - CVE-2018-18343: Use after free in Skia. Reported by Tran Tien Hung - CVE-2018-18344: Inappropriate implementation in Extensions. Reported by Jann Horn - CVE-2018-18345: Inappropriate implementation in Site Isolation. Reported by Masato Kinugawa and Jun Kokatsu - CVE-2018-18346: Incorrect security UI in Blink. Reported by Luan Herrera - CVE-2018-18347: Inappropriate implementation in Navigation. Reported by Luan Herrera - CVE-2018-18348: Inappropriate implementation in Omnibox. Reported by Ahmed Elsobky - CVE-2018-18349: Insufficient policy enforcement in Blink. Reported by David Erceg - CVE-2018-18350: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu - CVE-2018-18351: Insufficient policy enforcement in Navigation. Reported by Jun Kokatsu - CVE-2018-18352: Inappropriate implementation in Media. Reported by Jun Kokatsu - CVE-2018-18353: Inappropriate implementation in Network Authentication. Reported by Wenxu Wu - CVE-2018-18354: Insufficient data validation in Shell Integration. Reported by Wenxu Wu - CVE-2018-18355: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 - CVE-2018-18356: Use after free in Skia. Reported by Tran Tien Hung - CVE-2018-18357: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 - CVE-2018-18358: Insufficient policy enforcement in Proxy. Reported by Jann Horn - CVE-2018-18359: Out of bounds read in V8. Reported by cyrilliu - Inappropriate implementation in PDFium. Reported by Salem Faisal Elmrayed - Use after free in Extensions. Reported by Zhe Jin - Inappropriate implementation in Navigation. Reported by Luan Herrera - Inappropriate implementation in Navigation. Reported by Jesper van den Ende - Insufficient policy enforcement in Navigation. Reported by Ryan Pickren - Insufficient policy enforcement in URL Formatter. Reported by evi1m0 chromium (71.0.3578.62-1) unstable; urgency=medium . * New upstream beta release. * Rename the source package to chromium. * Build using the system jsoncpp library. * Remove non-free unrar source from the upstream tarball (closes: #914487). - Requires safe browsing inspection of rar files to be disabled. chromium (0.9.12-13) unstable; urgency=low * New maintainer (Closes: #417805). * Use quilt instead of dpatch. * debian/control: + Set maintainer to the Debian Games Team. + Set policy to 3.7.2. + Added Vcs fields. + Uncapitalised short description. * debian/compat: + Set level to 5. * debian/chromium.desktop: + Added Ubuntu’s .desktop, thanks to Reinhard Tartler (Closes: #364276). * 05_wall_flag.diff: + New patch. Add -Wall -W -g to the build flags. * debian/patches/35_powerup_crash.diff: + Fix a crash in the powerhup handling, courtesy of Brandon Barne (Closes: #411614). * debian/patches/40_sdl_quit.diff: + Honour SDL_QUIT, courtesy of Thue Janus Kristensen (Closes: #390313). chromium (0.9.12-12) unstable; urgency=low * Rebuild for new openal - Added build dep on libalut-dev - Changed AL patch to more correctly use its API - Added -lalut to the configure patch * Changed debhelper compat level to 4 chromium (0.9.12-11) unstable; urgency=low * Made build-dep on openal more strict to avoid FTBFS (Closes: #332588) * Changed xlibmesa build dep to glu version (Closes: 328042) chromium (0.9.12-9) unstable; urgency=low * add build-dep on dpatch :-( chromium (0.9.12-8) unstable; urgency=low * Rebuild for CXX transition * dpatch-ification - removed some unneeded casts for g++4 - Updated some code to new OpenAL API * bumped policy version to 3.6.2.0 chromium (0.9.12-7) unstable; urgency=low * Fixed segv when reading highscore file(Closes: 300150) Thanks to Alan Woodland chromium (0.9.12-6) unstable; urgency=low * Fixed sound fx level relative to music (Closes: 215037) Thanks to Joachim Breitner chromium (0.9.12-5) unstable; urgency=low * Added menu icon, thanks to Mark Purcell(Closes: 273439) * Quoted all entries in the menu file * Upped standards version to 3.6.1.0 chromium (0.9.12-4) unstable; urgency=low * Removed rpath hack as sed seems to be buggy on ARM. :( chromium (0.9.12-3) unstable; urgency=low * Updated the description to be a bit more informative. * Added a hack to get around sdl-config's insertion of rpaths. chromium (0.9.12-2) unstable; urgency=low * Fixed bug that put binary in /usr/bin instead of /usr/games (Closes: 183776) chromium (0.9.12-1) unstable; urgency=low * New Upstream release. (Closes: 178254) * New Maintainer (Closes: 182982) * Added note about music playing to README.Debian (Closes: 177244) * Repackaged so that it is not a debian native package. * Now uses system libs for openAL and libglpng instead of local static versions. * Changed Data directory to just [...]/chromium instead of chromium-data/ * passed in data directory to compilation making the wrapper script obsolete. chromium-browser (71.0.3578.80-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2018-17480: Out of bounds write in V8. Reported by Guang Gong - CVE-2018-17481: Use after frees in PDFium. Reported by Anonymous - CVE-2018-18335: Heap buffer overflow in Skia. Reported by Anonymous - CVE-2018-18336: Use after free in PDFium. Reported by Huyna - CVE-2018-18337: Use after free in Blink. Reported by cloudfuzzer - CVE-2018-18338: Heap buffer overflow in Canvas. Reported by Zhe Jin - CVE-2018-18339: Use after free in WebAudio. Reported by cloudfuzzer - CVE-2018-18340: Use after free in MediaRecorder. Reported by Anonymous - CVE-2018-18341: Heap buffer overflow in Blink. Reported by cloudfuzzer - CVE-2018-18342: Out of bounds write in V8. Reported by Guang Gong - CVE-2018-18343: Use after free in Skia. Reported by Tran Tien Hung - CVE-2018-18344: Inappropriate implementation in Extensions. Reported by Jann Horn - CVE-2018-18345: Inappropriate implementation in Site Isolation. Reported by Masato Kinugawa and Jun Kokatsu - CVE-2018-18346: Incorrect security UI in Blink. Reported by Luan Herrera - CVE-2018-18347: Inappropriate implementation in Navigation. Reported by Luan Herrera - CVE-2018-18348: Inappropriate implementation in Omnibox. Reported by Ahmed Elsobky - CVE-2018-18349: Insufficient policy enforcement in Blink. Reported by David Erceg - CVE-2018-18350: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu - CVE-2018-18351: Insufficient policy enforcement in Navigation. Reported by Jun Kokatsu - CVE-2018-18352: Inappropriate implementation in Media. Reported by Jun Kokatsu - CVE-2018-18353: Inappropriate implementation in Network Authentication. Reported by Wenxu Wu - CVE-2018-18354: Insufficient data validation in Shell Integration. Reported by Wenxu Wu - CVE-2018-18355: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 - CVE-2018-18356: Use after free in Skia. Reported by Tran Tien Hung - CVE-2018-18357: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 - CVE-2018-18358: Insufficient policy enforcement in Proxy. Reported by Jann Horn - CVE-2018-18359: Out of bounds read in V8. Reported by cyrilliu - Inappropriate implementation in PDFium. Reported by Salem Faisal Elmrayed - Use after free in Extensions. Reported by Zhe Jin - Inappropriate implementation in Navigation. Reported by Luan Herrera - Inappropriate implementation in Navigation. Reported by Jesper van den Ende - Insufficient policy enforcement in Navigation. Reported by Ryan Pickren - Insufficient policy enforcement in URL Formatter. Reported by evi1m0 chromium-browser (70.0.3538.110-1) unstable; urgency=medium . * New upstream security release. - CVE-2018-17479: Use-after-free in GPU. clamav (0.102.3+dfsg-0~deb9u1) stretch; urgency=medium . [ Sebastian Andrzej Siewior ] * Import 0.102.3 - CVE-2020-3327 (A vulnerability in the ARJ archive parsing module) - CVE-2020-3341 (A vulnerability in the PDF parsing module) * Update symbol file. . [ Scott Kitterman ] * Add Suggests for unversioned libclamunrar package on clamav-daemon and clamav binaries clamav (0.102.2+dfsg-2) unstable; urgency=medium . * Add a patch to let freshclam consider CURL_CA_BUNDLE environment variable to set the CA bundle (like curl does) (Closes: #951057). * Recommend ca-certificates, new freshclash uses https by default. * Bump standards-version to 4.5.0 without further change * Use dh-compat level 12. clamav (0.102.2+dfsg-1) unstable; urgency=medium . * Import 0.102.2 - CVE-2020-3123 (DoS may occur in the optional DLP feature) (Closes: 950944). * Update symbol file. * Set ReceiveTimeout to 0 which is upstream default. clamav (0.102.2+dfsg-0+deb10u1) buster; urgency=medium . * Import 0.102.2 - CVE-2020-3123 (DoS may occur in the optional DLP feature) (Closes: 950944). * Update symbol file. * Set ReceiveTimeout to 0 which is upstream default. * Add a patch to let freshclam consider CURL_CA_BUNDLE environment variable to set the CA bundle (like curl does) (Closes: #951057). * Recommend ca-certificates, new freshclash uses https by default. clamav (0.102.2+dfsg-0~deb9u1) stretch; urgency=medium . * Import 0.102.2 - CVE-2020-3123 (DoS may occur in the optional DLP feature) (Closes: 950944). * Update symbol file. * Set ReceiveTimeout to 0 which is upstream default. * Add a patch to let freshclam consider CURL_CA_BUNDLE environment variable to set the CA bundle (like curl does) (Closes: #951057). * Recommend ca-certificates, new freshclash uses https by default. clamav (0.102.1+dfsg-3) unstable; urgency=medium . * clamav-daemon: Do not cause an error on start if /run/clamav already exists * clamav-daemon: Correct error from ScanOnAccess option removal so that setting LogFile options via DebConf works again (Closes: #950296) (LP: #1861497) clamav (0.102.1+dfsg-2) unstable; urgency=medium . * Add the clamonacc binary to the clamav-daemon package. * Drop ScanOnAccess option. The clamonacc provides this functionality. clamav (0.102.1+dfsg-1) unstable; urgency=medium . * Import 0.102.1 (Closes: #945265) - CVE-2019-15961 (A Denial-of-Service as a result of excessively long scan times). - Let freshclam show progress during download (Closes: #690789). * Update symbol file. * Add libfreshclam to the libclamav9 package. clamav (0.102.1+dfsg-0+deb10u2) buster; urgency=medium . * clamav-daemon: Correct error from ScanOnAccess option removal so that setting LogFile options via DebConf works again (Closes: #950296) . clamav (0.102.1+dfsg-0+deb10u1) buster; urgency=medium . * Import 0.102.1 (Closes: #945265) - CVE-2019-15961 (A Denial-of-Service as a result of excessively long scan times). - Let freshclam show progress during download (Closes: #690789). * Update symbol file. * Add libfreshclam to the libclamav9 package. * Add the clamonacc binary to the clamav-daemon package. * Drop ScanOnAccess option. The clamonacc provides this functionality. clamav (0.102.1+dfsg-0+deb10u1) buster; urgency=medium . * Import 0.102.1 (Closes: #945265) - CVE-2019-15961 (A Denial-of-Service as a result of excessively long scan times). - Let freshclam show progress during download (Closes: #690789). * Update symbol file. * Add libfreshclam to the libclamav9 package. * Add the clamonacc binary to the clamav-daemon package. * Drop ScanOnAccess option. The clamonacc provides this functionality. compactheader (3.0.0~beta5-2~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. - Lower dh compat to 10. compactheader (3.0.0~beta5-1) unstable; urgency=medium . * [89f1683] d/control: adding versioned B-D on mozilla-devscripts Using mozilla-devscripts need to be based on some recent version. * [3503e4b] debhelper: use debhelper-compat in B-D Moving over to debhelper-compat version 12, reducing the maintenance of used files. * [e3ef1f4] d/control: bump Standards-Version to 4.4.1 No further changes needed. * [e1787a9] d/control: move Homepage info over to GitHub The upstream project lives basically more on GitHub than on the old mozdev website. * [8944c9d] d/gbp.conf: exclude some more VCS files The upstream source can include some old Mercurial VCS controlling files which are useless fur us, exclude them while importing the source. * [8b0d586] New upstream version 3.0.0~beta5 The AddOn is now full web-extension based. (Closes: #944021) * [ca0fad3] Remove patch queue The one patch we have used within the patch queue isn't needed any more. * [f6a6dca] d/control: remove B-D on mozilla-devscripts For now drop the usage of any helper from mozilla-devscripts as it brings no gain or advantage. The dh sequencers are enough to build the package. * [c578353] d/control: add new package webext-compactheader The source of the package is now web-extension based only, no old transitional xul stuff is included. So make this visible by moving the main binary package over to webext-* syntax. * [d12d2a1] d/rules: adjust package install Clean up all non needed xul-* helpers, makes the mostly needed target reduced to the quite the minimum. * [37b1cd3] d/copyright: update file content Update to data reflecting the year 2019. * [4ed4c79] webext-compactheader: adding install sequencer file * [77cf260] webext-compactheader: adding linking sequencer file * [aebb2f8] d/control: no root rights needed for package build * [7c1da48] d/control: adding dependency on TB >= 68.0 * [b9a01cf] Remove install of outdated file upstream-changelog The previously installed upstream changelog file isn't really helpful and outdated. We can drop it simply. compactheader (2.1.6-1) unstable; urgency=medium . [ Carsten Schoenert ] * [73171e8] d/watch: adjust to use the GitHub tree from jmozmoz Using the move over of the Mozilla AddOn platform to addons.thunderbird.net to also move the d/watch entry to the upstream Git tree on GitHub. * [229df45] d/control: increase Standards-Version to 4.2.1 No further changes needed. * [d44b452] d/control: move package to webext-text team One more move to the packaging Git tree, as we decided on the Bof while Debconf 18 in Hsinchu the future of the Mozilla AddOns will be WebExtension it's logical to collect all extensions we package for Debian in the Salsa group for WebExtensions: https://salsa.debian.org/webext-team/ * [d482d8f] New upstream version 2.1.6 coturn (4.5.0.5-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * specially crafted HTTP POST request can lead to heap overflow which can result in information leak (CVE-2020-6061) (Closes: #951876) * specially crafted HTTP POST request can lead to server crash and denial of service (CVE-2020-6062) (Closes: #951876) * init with zero any new or reused stun buffers (CVE-2020-4067) cram (0.7-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Accept any test result to work around build failures. csync2 (2.0-8-g175a01c-4+deb9u1) stretch; urgency=medium . * Add patch for CVE-2019-15522 (Closes: #955445) cups (2.2.1-8+deb9u6) stretch; urgency=medium . * Backport upstream security fixes: - CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption() function in ppd-mark.c - CVE-2019-8842: The `ippReadIO` function may under-read an extension field curl (7.52.1-5+deb9u10) stretch-security; urgency=high . * Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351) https://curl.haxx.se/docs/CVE-2019-5436.html * Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009) https://curl.haxx.se/docs/CVE-2019-5481.html * Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482 (Closes: #940010) https://curl.haxx.se/docs/CVE-2019-5482.html dbus (1.10.32-0+deb9u1) stretch; urgency=medium . * New upstream stable release - CVE-2020-12049: Prevent a denial of service attack in which a local user can make the system dbus-daemon run out of file descriptors - Prevent use-after-free if two usernames share a uid debian-installer (20170615+deb9u9) stretch; urgency=medium . * Bump linux ABI to 4.9.0-13. debian-installer-netboot-images (20170615+deb9u9) stretch; urgency=medium . * Update to 20170615+deb9u9 images, from stretch-proposed-updates debian-security-support (2020.06.21~deb9u1) stretch; urgency=medium . * This update for stretch only contains changes to the files security-support-limited and security-support-ended.deb(8|9|10) from version 2020.06.21 from unstable, the changes in detail are: - from 2020.06.21: * Add cinder (OpenStack component) to security-support-ended.deb8. - from 2020.06.11: * Also add unbound to security-support-ended.deb8 - see DSA 4694-1 and https://lists.debian.org/debian-lts/2020/06/msg00024.html and follow-ups. - from 2020.06.09: * Add unbound to security-support-ended.deb9 (see DSA 4694-1). - from 2020.05.22: * Add pdns-recursor to security-support-ended.deb9 as explained in DSA-4691-1. - from 2020.05.08: * Mark OpenStack packages as being unsupported in LTS; "jessie lost support from upstream just a few weeks after the release." - from 2020.04.16: * Add tor to security-support-ended.deb8 as well, see DSA 4644-1. * Add libperlspeak-perl to security-support-ended.deb(8|9|10), because of CVE-2020-10674 (#954238), also see #954297, #954298 and #954299. - from 2020.03.22: * Add tor to security-support-ended.deb9, see DSA 4644-1. - from 2020.03.15: * security-support-limited/zoneminder: declare limited support behind an authenticated HTTP zone (see #922724). - from 2020.03.05: * Add xen to security-support-ended.deb8. - from 2020.02.21: * Add nodejs to security-support-ended.deb8 and .deb9. - from 2020.01.21: * Add nethack to security-support-ended.deb8. * Mark xen as end-of-life for Stretch (DSA 4602-1). debian-security-support (2020.06.11) unstable; urgency=medium . * Also add unbound to security-support-ended.deb8 - see DSA 4694-1 and https://lists.debian.org/debian-lts/2020/06/msg00024.html and follow-ups. debian-security-support (2020.06.09) unstable; urgency=medium . [ Salvatore Bonaccorso ] * Add unbound to security-support-ended.deb9 (see DSA 4694-1). debian-security-support (2020.05.22) unstable; urgency=medium . * Add pdns-recursor to security-support-ended.deb9 as explained in DSA-4691-1. debian-security-support (2020.05.08) unstable; urgency=medium . [ Chris Lamb ] * Mark OpenStack packages as being unsupported in LTS; "jessie lost support from upstream just a few weeks after the release." debian-security-support (2020.04.16) unstable; urgency=medium . * Add tor to security-support-ended.deb8 as well, see DSA 4644-1. * Add libperlspeak-perl to security-support-ended.deb(8|9|10), because of CVE-2020-10674 (#954238), also see #954297, #954298 and #954299. debian-security-support (2020.04.16~deb10u2) buster; urgency=medium . * Re-upload for buster. . debian-security-support (2020.04.16) unstable; urgency=medium . * Add tor to security-support-ended.deb8 as well, see DSA 4644-1. * Add libperlspeak-perl to security-support-ended.deb(8|9|10), because of CVE-2020-10674 (#954238), also see #954297, #954298 and #954299. . debian-security-support (2020.03.22) unstable; urgency=medium . [ Salvatore Bonaccorso ] * Add tor to security-support-ended.deb9, see DSA 4644-1. . debian-security-support (2020.03.15) unstable; urgency=medium . [ Dmitry Smirnov ] * security-support-limited/zoneminder: declare limited support behind an authenticated HTTP zone (see #922724). . [ Daniel Shahaf ] * Revert unintentional output change in #951874 4/4. Closes: #953732. . debian-security-support (2020.03.05) unstable; urgency=medium . [ Bastian Blank ] * Add xen to security-support-ended.deb8. . [ Holger Levsen ] * Correct bug closure for #951874 in 2020.02.25 changelog entry. #951772 was already closed in 2020.02.21. . debian-security-support (2020.02.25) unstable; urgency=medium . [ Daniel Shahaf ] * Miscellaneous sh fixes, Closes: #951874. - avoid implementation-defined behaviour. - fix --version output, use defined variable. - print errors and warnings to stderr. - clarify an error message. . [ Holger Levsen ] * postinst and check-support-status.hook: drop workaround for upgrades from releases before 2016-03-30. * check-support-status.in: - drop code needed for supporting dpkg-query from squeeze. - set DEB_LOWEST_VER_ID=8 as we dropped security-support-ended.deb7 in the last upload. - Don't exit gracefully if the detected Debian version is not supported, instead issue a warning and continue, to both do the checks that can be done and to not fail the package installation. Closes: #952383. * po/debian-security-support.pot: drop removed string. * Update all .po files for changed strings in the English original. * Add "package-uses-old-debhelper-compat-version 11" to source/lintian-overrides. The package shall be trivially buildable on stable. . debian-security-support (2020.02.21) unstable; urgency=medium . [ Holger Levsen ] * Drop security-support-ended.deb7, we don't support wheezy anymore. (eLTS is maintained outside Debian.) * Add nodejs to security-support-ended.deb8 and .deb9. * Use runuser instead of su. Closes: #890862. Thanks to Jakobus Schürz. * Wrap long lines in changelog entries: 2015.04.04, thanks lintian-brush. * Fix day-of-week for changelog entry 2015.04.04, thanks lintian-brush. . [ Daniel Shahaf ] * Allow one to exclude specific packages from the check. Closes: #951442. * Prefix "check-support-status: " to error messages. Closes: #951772. . debian-security-support (2020.01.21) unstable; urgency=medium . [ Abhijith PA ] * Add nethack to security-support-ended.deb8. . [ Salvatore Bonaccorso ] * Mark xen as end-of-life for Stretch (DSA 4602-1). . [ Holger Levsen ] * Improve describe of binutils' status in security-support-limited. Thanks to Daniel Shahaf for the patch. Closes: #948634. * Bump standards version to 4.5.0, no changes needed. debian-security-support (2020.03.22) unstable; urgency=medium . [ Salvatore Bonaccorso ] * Add tor to security-support-ended.deb9, see DSA 4644-1. debian-security-support (2020.03.15) unstable; urgency=medium . [ Dmitry Smirnov ] * security-support-limited/zoneminder: declare limited support behind an authenticated HTTP zone (see #922724). . [ Daniel Shahaf ] * Revert unintentional output change in #951874 4/4. Closes: #953732. debian-security-support (2020.03.05) unstable; urgency=medium . [ Bastian Blank ] * Add xen to security-support-ended.deb8. . [ Holger Levsen ] * Correct bug closure for #951874 in 2020.02.25 changelog entry. #951772 was already closed in 2020.02.21. debian-security-support (2020.02.25) unstable; urgency=medium . [ Daniel Shahaf ] * Miscellaneous sh fixes, Closes: #951772. - avoid implementation-defined behaviour. - fix --version output, use defined variable. - print errors and warnings to stderr. - clarify an error message. . [ Holger Levsen ] * postinst and check-support-status.hook: drop workaround for upgrades from releases before 2016-03-30. * check-support-status.in: - drop code needed for supporting dpkg-query from squeeze. - set DEB_LOWEST_VER_ID=8 as we dropped security-support-ended.deb7 in the last upload. - Don't exit gracefully if the detected Debian version is not supported, instead issue a warning and continue, to both do the checks that can be done and to not fail the package installation. Closes: #952383. * po/debian-security-support.pot: drop removed string. * Update all .po files for changed strings in the English original. * Add "package-uses-old-debhelper-compat-version 11" to source/lintian-overrides. The package shall be trivially buildable on stable. debian-security-support (2020.02.21) unstable; urgency=medium . [ Holger Levsen ] * Drop security-support-ended.deb7, we don't support wheezy anymore. (eLTS is maintained outside Debian.) * Add nodejs to security-support-ended.deb8 and .deb9. * Use runuser instead of su. Closes: #890862. Thanks to Jakobus Schürz. * Wrap long lines in changelog entries: 2015.04.04, thanks lintian-brush. * Fix day-of-week for changelog entry 2015.04.04, thanks lintian-brush. . [ Daniel Shahaf ] * Allow one to exclude specific packages from the check. Closes: #951442. * Prefix "check-support-status: " to error messages. Closes: #951772. debian-security-support (2020.01.21) unstable; urgency=medium . [ Abhijith PA ] * Add nethack to security-support-ended.deb8. . [ Salvatore Bonaccorso ] * Mark xen as end-of-life for Stretch (DSA 4602-1). . [ Holger Levsen ] * Improve describe of binutils' status in security-support-limited. Thanks to Daniel Shahaf for the patch. Closes: #948634. * Bump standards version to 4.5.0, no changes needed. debian-security-support (2019.12.12) unstable; urgency=medium . * security-support-limited: point to https://www.debian.org/releases/ \ buster/amd64/release-notes/ch-information.en.html#golang-static-linking for golang* packages. debian-security-support (2019.12.12~deb10u1) buster; urgency=medium . * Re-uploaded for buster. dpdk (16.11.11-1+deb9u2) stretch-security; urgency=high . * Backport patch to fix CVE-2020-10722 and its prerequisite which affects the vhost driver drupal7 (7.52-2+deb9u11) stretch-security; urgency=medium . * SA-CORE-2020-004: CSRF due to incomplete validation of file uploads in form input drupal7 (7.52-2+deb9u10) stretch-security; urgency=medium . * SA-CORE-2019-012: Imports bundled library's security improvement needed to protect some of Drupal's configurations * SA-CORE-2020-002 and SA-CORE-2020-003: XSS issue fix imported from in a jQuery update; fix an open redirect caused by insufficient validation erlang (1:19.2.1+dfsg-2+deb9u3) stretch; urgency=medium . * Applied a patch which fixes CVE-2020-12872 vulnerability revealed for the Yaws web server (TLS server offers weak ciphers for TLS 1.0). (closes: #961422) evince (3.22.1-3+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * dvi: Mitigate command injection attacks by quoting filename (CVE-2017-1000159) * Fix overflow checks in tiff backend (CVE-2019-1010006) * Remove unused configure check for cairo_format_stride_for_width (CVE-2019-1010006) * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459) (Closes: #927820) exim4 (4.89-2+deb9u7) stretch-security; urgency=high . * Fix authentication bypass in SPA authenticator due to out-of-bound buffer read. https://bugs.exim.org/show_bug.cgi?id=2571 CVE-2020-12783 exiv2 (0.25-3.1+deb9u2) stretch; urgency=medium . * Non-maintainer upload by the Security Team. * Minor adjustment to the patch for CVE-2018-10958 and CVE-2018-10999. The initial patch was overly restrictive in counting PNG image chunks. * CVE-2018-16336: remote denial of service (heap-based buffer over-read) via a crafted image file. fex (20160919-2~deb9u1) stretch; urgency=high . * Security fix for fexsrv. file-roller (3.22.3-1+deb9u2) stretch; urgency=medium . * CVE-2020-11736 (Closes: #956638) firefox-esr (68.10.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-25, also known as: CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, CVE-2020-12421. firefox-esr (68.9.0esr-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2020-21, also known as: CVE-2020-12399, CVE-2020-12405, CVE-2020-12406, CVE-2020-12410. . * debian/rules: Force using old PKCS11 API when building against newer NSS releases. Closes: #961762. * debian/control*: Bump nss build dependencies. firefox-esr (68.9.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release * Fixes for mfsa2020-21, also known as: CVE-2020-12399, CVE-2020-12405, CVE-2020-12406, CVE-2020-12410. . * debian/rules: Force using old PKCS11 API when building against newer NSS releases. Closes: #961762. * debian/control*: Bump nss build dependencies. firefox-esr (68.9.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-21, also known as: CVE-2020-12399, CVE-2020-12405, CVE-2020-12406, CVE-2020-12410. . * debian/rules: Force using old PKCS11 API when building against newer NSS releases. Closes: #961762. * debian/control*: Bump nss build dependencies. firefox-esr (68.8.0esr-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2020-17, also known as: CVE-2020-12387, CVE-2020-6831, CVE-2020-12392, CVE-2020-12395. firefox-esr (68.8.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release * Fixes for mfsa2020-17, also known as: CVE-2020-12387, CVE-2020-6831, CVE-2020-12392, CVE-2020-12395. firefox-esr (68.8.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-17, also known as: CVE-2020-12387, CVE-2020-6831, CVE-2020-12392, CVE-2020-12395. firefox-esr (68.7.0esr-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2020-13, also known as: CVE-2020-6821, CVE-2020-6822, CVE-2020-6825. firefox-esr (68.7.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release * Fixes for mfsa2020-13, also known as: CVE-2020-6821, CVE-2020-6822, CVE-2020-6825. firefox-esr (68.7.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-13, also known as: CVE-2020-6821, CVE-2020-6822, CVE-2020-6825. firefox-esr (68.6.1esr-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2020-11, also known as: CVE-2020-6819, CVE-2020-6820. firefox-esr (68.6.1esr-1~deb10u1) buster-security; urgency=medium . * New upstream release * Fixes for mfsa2020-11, also known as: CVE-2020-6819, CVE-2020-6820. firefox-esr (68.6.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-11, also known as: CVE-2020-6819, CVE-2020-6820. firefox-esr (68.6.0esr-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2020-09, also known as: CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6811, CVE-2019-20503, CVE-2020-6812, CVE-2020-6814. firefox-esr (68.6.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release * Fixes for mfsa2020-09, also known as: CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6811, CVE-2019-20503, CVE-2020-6812, CVE-2020-6814. firefox-esr (68.6.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-09, also known as: CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6811, CVE-2019-20503, CVE-2020-6812, CVE-2020-6814. firefox-esr (68.5.0esr-1) unstable; urgency=medium . * New upstream release * Fixes for mfsa2020-06, also known as: CVE-2020-6796, CVE-2020-6798, CVE-2020-6800. firefox-esr (68.5.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release * Fixes for mfsa2020-06, also known as: CVE-2020-6796, CVE-2020-6798, CVE-2020-6800. firefox-esr (68.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release * Fixes for mfsa2020-06, also known as: CVE-2020-6796, CVE-2020-6798, CVE-2020-6800. firefox-esr (68.4.2esr-1) unstable; urgency=medium . * New upstream release. firefox-esr (68.4.1esr-1) unstable; urgency=medium . * New upstream release. * Fix for mfsa2020-03, also known as CVE-2019-17026. firefox-esr (68.4.1esr-1~deb10u1) buster-security; urgency=medium . * New upstream release. * Fix for mfsa2020-03, also known as CVE-2019-17026. fwupd (0.8.3-1) oldstable; urgency=medium . * Update to 0.8.3 point release - Upstream no longer supports the 0.7.x series * Drop existing patches all merged into 0.8.3 release. * Drop no longer used libebitdo1 and libebitdo-dev packages * Refresh symbols * Backport series of commits to allow better longevity on 0.8.x - Use a CNAME to redirect to the correct CDN for metadata (Closes: #961490) - Do not abort startup if the XML metadata file is invalid - Add the Linux Foundation public GPG keys for firmware and metadata - Raise the metadata limit to 10Mb - Validate that gpgme_op_verify_result() returned at least one signature (Closes: #962517) fwupd (0.8.2-2) unstable; urgency=medium . * Backport patch to fix detection of Dell systems fwupd (0.8.2-1) unstable; urgency=medium . [ Richard Hughes ] * trivial: post release version bump * trivial: Sync example spec file with downstream * Add DFU quirk for SIMtrace * Add DFU quirk for OpenPICC * Create directories in /var/cache as required * trivial: Fix the log domains in two plugins * trivial: No not list the API version indexes * trivial: Don't change the documentation output every time the version changes * trivial: Fix the last -Wpointer-sign warning * trivial: Change the name of a generated file * trivial: Remove non-warning flags from the CFLAGS * Use a 60 second timeout on all client downloads * Support proxy servers in fwupdmgr * Set the source origin when saving metadata * Add a config option to allow runtime disabling plugins by name * Fix the Requires lines in the dfu pkg-config file * Release fwupd 0.8.2 . [ Mario Limonciello ] * trivial: install /var/lib/fwupd in make install (#94) * trivial: allow configuring ESP location (#94) * trivial: make valgrind an optional build dependency * trivial: make /boot/efi an optional ReadWritePath (#97) * trivial: set synaptics error message in more scenarios * Drop upstream patches. . [ Shea Levy ] * Only try to mkdir the localstatedir if we have the right permissions (#96) . [ AsciiWolf ] * Update Czech translation fwupd (0.8.1-3) unstable; urgency=medium . * Backport upstream commit to make valgrind optional (Closes: #856344) * Backport upstream commit to make /boot/efi optional to start fwupd.service. fwupd (0.8.1-2) unstable; urgency=medium . * Disable optional thunderbolt support until ITP is done. fwupd (0.8.1-1) unstable; urgency=medium . * New upstream version (0.8.1). - Fixes systemd confinement crashes (Closes: #856145) (LP: #1663548) * loosen dependencies on libefivar-dev and libfwup-dev * Optionally enable thunderbolt fwupd (0.8.0-2) unstable; urgency=medium . * Only build synaptics on supported arch (fixes FTBFS) fwupd (0.8.0-1) unstable; urgency=medium . * New upstream version (0.8.0) * Refresh symbols. * Drop all now upstream patches. * Enable build hardening flags * Drop valgind build dependency from m68k * Fix fwupd process leaking into dbus cgroup (Closes: #845406) git (1:2.11.0-3+deb9u7) stretch-security; urgency=high . * Apply patches from 2.20.4 to address the security issue CVE-2020-11008. . With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. . Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the credentials are not for a host of the attacker's choosing. Instead, they are for an unspecified host, based on how the configured credential helper handles an absent "host" parameter. . The attack has been made impossible by refusing to work with underspecified credential patterns. . Thanks to Carlo Arenas for reporting that Git was still vulnerable, Felix Wilhelm for providing the proof of concept demonstrating this issue, and Jeff King for promptly providing a corrected fix. . Tested using the proof of concept at https://crbug.com/project-zero/2021. git (1:2.11.0-3+deb9u6) stretch-security; urgency=high . [ Salvatore Bonaccorso ] * Apply patches from 2.20.3 to address the security issue CVE-2020-5260. . With a crafted URL that contains a newline, the credential helper machinery can be fooled to supply credential information for the wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. . Thanks to Felix Wilhelm of Google Project Zero for finding this vulnerability and Jeff King for fixing it. . [ Jonathan Nieder ] * Apply security-relevant changes from 2.11.1: * doc: mention transfer data leaks in more places (thx to Matt McCutchen). * remote-curl: don't hang when a server dies before any output (thx to David Turner). * merge: avoid crlf handling related NULL dereference (thx to Markus Klein and Johannes Schindelin). * http: avoid private repository theft by mixing repositories (thx to Jann Horn of Google Project Zero). * avoid under-allocation in shallow clone code (thx to Rasmus Villemoes). * git-svn: allow "0" in SVN path components (thx to Eric Wong). * config: handle errors from fstat (thx to Josh Bleecher Snyder and Nguyễn Thái Ngọc Duy). * git_exec_path: do not return the result of getenv (thx to Jeff King). * Apply security-relevant changes from 2.12.1, 2.12.2, 2.12.3: * show-branch: avoid buffer overflow on long current branch name (thx to Jeff King). * ident: handle NULL email when complaining of empty name (thx to Jeff King). * log -L: use COPY_ARRAY to fix mis-sized memcpy on ILP32 systems (thx to Vegard Nossum). * dumb http: fix buffer underflow processing remote alternates (thx to Jeff King). * log -S: avoid out-of-bounds read with -S --pickaxe-regex (thx to SZEDER Gábor). * Apply security- and portability-relevant changes from 2.13.1, 2.13.3, 2.13.4: * checkout, am: avoid NULL pointer dereference when HEAD is invalid (thx to René Scharfe). * pack-bitmap: don't perform unaligned memory access (thx to James Clarke). * apply: avoid out of bounds reads when processing malformed patches (thx to Vegard Nossum and René Scharfe). * log -g: avoid use-after-free when reading empty reflog in date order (thx to Jeff King). * Apply security-relevant changes from 2.14.3: * avoid reading uninitialized memory when HEAD is too short (thx to Jeff King). * fsck: avoid NULL pointer dereference when encountering objects of unexpected type (thx to SZEDER Gábor and René Scharfe). glib-networking (2.50.0-1+deb9u1) stretch; urgency=medium . * Team upload * d/p/Return-bad-identity-error-if-identity-is-unset.patch: Backport fix for CVE-2020-13645 from upstream (Closes: #961756) gnutls28 (3.5.8-5+deb9u5) stretch; urgency=medium . * Pull fixes for CVE-2019-3829 / [GNUTLS-SA-2019-03-27, #694]. + 40_casts_related_to_fix_CVE-2019-3829.patch + 40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch + 40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch + 41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff * More important fixes: + 43_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch + 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch Handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) golang-1.7 (1.7.4-2+deb9u1) stretch-security; urgency=high . * Team upload. * Add patch to fix CVE-2019-6486 * Add patch to fix CVE-2018-7187 golang-1.8 (1.8.1-1+deb9u1) stretch-security; urgency=high . * Team upload. * Add patch to fix CVE-2019-6486 * Add patch to fix CVE-2018-6574 * Add patch to fix CVE-2018-7187 gosa (2.7.4+reloaded2-13+deb9u3) stretch; urgency=medium . * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_ encode+json_decode.patch: + Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection (CVE-2019-14466). gosa (2.7.4+reloaded2-13+deb9u2) stretch; urgency=medium . [ Mike Gabriel ] * debian/patches: + Add 1029_better-whitespace-cleanup-in-genuid.patch. Prevent gen_uids() from generating UIDs containing blanks. + Add 1030_column-header-titles-group-members.patch. Fix column titles in member lists of POSIX groups. + Add 1043_smarty-add-on-function-param-types.patch. Fix missing password field, caused by PHP error "parameter 2 expected to be a reference, value given". (Closes: #918578). + Update 1026_fix-deprecated-constructor-format.patch. Drop an unwanted find+replace artefact in class_userFilter. + Add 1045_dont_use_filter_caching.patch. Disable filter caching via $_SESSION. The approach stores PHP object in $_SESSION; since php7.0 this leads to unexpected results and flawed rendering of class_management based listings. (Closes: #907815). + Rebase / update 1016_allow-same-user-ids-as-adduser.patch and 1026_fix-deprecated-constructor-format.patch. + Add 1046_CVE-2019-11187_stricter-ldap-error-check.patch. Perform stricter check on LDAP success/failure (CVE-2019-11187). . [ Benjamin Zapiec ] * debian/patches: + Add 1031_no-context-loose-continues.patch. Avoid stray continue expression. (Closes: #879105). . [ Christian Schwamborn ] * debian/patches: + Add 1032_fix_select_acl_role.patch. Use ACL from role definition: Select the correct role. + Add 1033_fix_unable_to_delete_acl_asignment.patch. Fix removing ACLs from objects (e.g. groups). + Add 1034_remove_superfluous__get_post__call_from__save_object.patch. class_sortableListing: Remove superfluous get_post() call from_ save_object() + Add 1035_acl_override_to_allow_delete_of_group_members.patch. Support member removal from groups, if someone has the right to edit the group. + Add 1036_remove_double_groupList_setEditable_setting.patch. Remove duplicate setEditable() for POSIX group lists. + Add 1037_fix_shadowexpire_checkbox_from_tmplate_setting.patch. Propagate shadow expiry from user templates to created user objects. + Add 1038_shadowexpire_in_one_line.patch. Show shadow expiry (esp. the calendar icon) in one line on screen (html template adjustment). + Add 1039_fix_sambakickofftime_checkbox_and_sambakickofftime_date_from_ tmplate_setting.patch. Fix date calculations for sambaKickoffTime and propagation from template to created user object. + Add 1040_inactive_pwd_fields_when_using_pwd_proposal.patch. Disable password entry text fields when password proposal is to be used. + Add 1041_ref_param_error_in_My_Parser.patch. Compat fix for PHP > 5.4. Hand over real variable to function. graphicsmagick (1.3.30+hg15796-1~deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2019-12921: remote information disclosure (attacker can read arbitrary files) via a crafted image; fix is to remove support for reading from a file using '@filename' syntax * Fix CVE-2020-10938: Fix signed overflow on range check in HuffmanDecodeImage function which leads to heap overflow in 32-bit applications. graphicsmagick (1.3.30+hg15796-1~deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2019-19953 heap-based buffer over-read in the function EncodeImage * CVE-2019-19951 heap-based buffer overflow in the function ImportRLEPixels * CVE-2019-19950 use-after-free in ThrowException and ThrowLoggedException * CVE-2019-11474: floating-point exception in coders/xwd.c when processing crafted XWD images. * CVE-2019-11473: out-of-bounds read in coders/xwd.c when processing crafted XWD images. * CVE-2019-11506: missing error handling primitives causes heap-based buffer overflow in WriteMATLABImage (coders/mat.c) when processing crafted Matlab matrix data. * CVE-2019-11505: heap-based buffer overflow in WritePDBImage (coders/pdb.c) when processing crafted PDB images. * CVE-2019-11010: In GraphicsMagick there is a memory leak in the function ReadMPCImage which allows attackers to cause a denial of service via a crafted image file. * CVE-2019-11009: In GraphicsMagick there is a heap-based buffer over-read in the function ReadXWDImage which allows attackers to cause a denial of service or information disclosure via a crafted image file. * CVE-2019-11008: In GraphicsMagick there is a heap-based buffer overflow in the function WriteXWDImage which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. * CVE-2019-11007: In GraphicsMagick there is a heap-based buffer over-read in the ReadMNGImage function which allows attackers to cause a denial of service or information disclosure via an image colormap. * CVE-2019-11006: In GraphicsMagick exists a heap-based buffer over-read in the function ReadMIFFImage which allows attackers to cause a denial of service or information disclosure via an RLE packet. * CVE-2019-11005 stack buffer overflow while parsing quoted font family value * CVE-2018-20189 assertion failure in ReadDIBImage * CVE-2018-20185 heap-based buffer over-read in the ReadBMPImage * CVE-2018-20184 heap-based buffer overflow in the WriteTGAImage icu (57.1-6+deb9u4) stretch-security; urgency=high . * Backport upstream security fix for CVE-2020-10531: SEGV_MAPERR in UnicodeString::doAppend() (closes: #953747). imagemagick (8:6.9.7.4+dfsg-11+deb9u8) stretch-security; urgency=medium . * CVE-2019-13300 (Closes: #931454) * CVE-2019-13304 (Closes: #931453) * CVE_2019-13305 (Closes: #931452) * CVE-2019-13306 (Closes: #931449) * CVE-2019-13307 (Closes: #931448) * CVE-2019-15140 (Closes: #941671) * CVE-2019-19948 (Closes: #947308) intel-microcode (3.20200616.1~deb9u1) stretch; urgency=high . * Rebuild for Debian oldstable (stretch), no changes . intel-microcode (3.20200616.1) unstable; urgency=high . * New upstream microcode datafile 20200616 + Downgraded microcodes (to a previously shipped revision): sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3, https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 * This update *removes* the SRBDS mitigations from the above processors * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2 intel-microcode (3.20200609.2) unstable; urgency=medium . * REGRESSION FIX: 0x406e3: rollback to rev 0xd6 and document regression * Microcode rollbacks (closes: LP#1883002) sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 * THIS REMOVES THE SECURITY FIXES FOR SKYLAKE-U/Y PROCESSORS * Avoid hangs on boot on (some?) Skylake-U/Y processors, https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 * ucode-blacklist: blacklist models 0x8e and 0x9e from late-loading, just in case. Note that Debian does not do late loading by itself. Refer to LP#1883002 for the report, 0x806ec hangs upon late load. intel-microcode (3.20200609.2~deb10u1) buster-security; urgency=high . * Rebuild for buster-security, no changes Refer to changelog entries for 3.20200609.2 and 3.20200609.1 for details . intel-microcode (3.20200609.2) unstable; urgency=medium . * REGRESSION FIX: 0x406e3: rollback to rev 0xd6 and document regression * Microcode rollbacks (closes: LP#1883002) sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 * THIS REMOVES THE SECURITY FIXES FOR SKYLAKE-U/Y PROCESSORS * Avoid hangs on boot on (some?) Skylake-U/Y processors, https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 * ucode-blacklist: blacklist models 0x8e and 0x9e from late-loading, just in case. Note that Debian does not do late loading by itself. Refer to LP#1883002 for the report, 0x806ec hangs upon late load. . intel-microcode (3.20200609.1) unstable; urgency=high . * SECURITY UPDATE * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending on the processor model * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and L1DCES mitigations, plus mitigations described in the changelog entry for package release 3.20191112.1. * Expect some performance impact, the mitigations are enabled by default. A Linux kernel update will be issued that allows one to selectively disable the mitigations. * New upstream microcode datafile 20200609 * Implements mitigation for CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS), INTEL-SA-00320, CROSSTalk * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling (VRDS), INTEL-SA-00329 * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling (L1DCES), INTEL-SA-00329 * Known to fix the regression introduced in release 2019-11-12 (sig 0x50564, rev. 0x2000065), which would cause several systems with Skylake Xeon, Skylake HEDT processors to hang while rebooting * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 * Restores the microcode-level fixes that were reverted by release 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) . intel-microcode (3.20200520.1) unstable; urgency=medium . * New upstream microcode datafile 20200520 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 . intel-microcode (3.20200508.1) unstable; urgency=medium . * New upstream microcode datafile 20200508 + Updated Microcodes: sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 * Likely fixes several critical errata on IceLake-U/Y causing system hangs intel-microcode (3.20200609.2~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security, no changes Refer to changelog entries for 3.20200609.2 and 3.20200609.1 for details . intel-microcode (3.20200609.2) unstable; urgency=medium . * REGRESSION FIX: 0x406e3: rollback to rev 0xd6 and document regression * Microcode rollbacks (closes: LP#1883002) sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 * THIS REMOVES THE SECURITY FIXES FOR SKYLAKE-U/Y PROCESSORS * Avoid hangs on boot on (some?) Skylake-U/Y processors, https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 * ucode-blacklist: blacklist models 0x8e and 0x9e from late-loading, just in case. Note that Debian does not do late loading by itself. Refer to LP#1883002 for the report, 0x806ec hangs upon late load. . intel-microcode (3.20200609.1) unstable; urgency=high . * SECURITY UPDATE * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending on the processor model * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and L1DCES mitigations, plus mitigations described in the changelog entry for package release 3.20191112.1. * Expect some performance impact, the mitigations are enabled by default. A Linux kernel update will be issued that allows one to selectively disable the mitigations. * New upstream microcode datafile 20200609 * Implements mitigation for CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS), INTEL-SA-00320, CROSSTalk * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling (VRDS), INTEL-SA-00329 * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling (L1DCES), INTEL-SA-00329 * Known to fix the regression introduced in release 2019-11-12 (sig 0x50564, rev. 0x2000065), which would cause several systems with Skylake Xeon, Skylake HEDT processors to hang while rebooting * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 * Restores the microcode-level fixes that were reverted by release 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) . intel-microcode (3.20200520.1) unstable; urgency=medium . * New upstream microcode datafile 20200520 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 . intel-microcode (3.20200508.1) unstable; urgency=medium . * New upstream microcode datafile 20200508 + Updated Microcodes: sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 * Likely fixes several critical errata on IceLake-U/Y causing system hangs intel-microcode (3.20200609.1) unstable; urgency=high . * SECURITY UPDATE * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending on the processor model * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and L1DCES mitigations, plus mitigations described in the changelog entry for package release 3.20191112.1. * Expect some performance impact, the mitigations are enabled by default. A Linux kernel update will be issued that allows one to selectively disable the mitigations. * New upstream microcode datafile 20200609 * Implements mitigation for CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS), INTEL-SA-00320, CROSSTalk * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling (VRDS), INTEL-SA-00329 * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling (L1DCES), INTEL-SA-00329 * Known to fix the regression introduced in release 2019-11-12 (sig 0x50564, rev. 0x2000065), which would cause several systems with Skylake Xeon, Skylake HEDT processors to hang while rebooting * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 * Restores the microcode-level fixes that were reverted by release 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) intel-microcode (3.20200609.1~deb10u1) buster-security; urgency=high . * Rebuild for buster-security, no changes . intel-microcode (3.20200609.1) unstable; urgency=high . * SECURITY UPDATE * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending on the processor model * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and L1DCES mitigations, plus mitigations described in the changelog entry for package release 3.20191112.1. * Expect some performance impact, the mitigations are enabled by default. A Linux kernel update will be issued that allows one to selectively disable the mitigations. * New upstream microcode datafile 20200609 * Implements mitigation for CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS), INTEL-SA-00320, CROSSTalk * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling (VRDS), INTEL-SA-00329 * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling (L1DCES), INTEL-SA-00329 * Known to fix the regression introduced in release 2019-11-12 (sig 0x50564, rev. 0x2000065), which would cause several systems with Skylake Xeon, Skylake HEDT processors to hang while rebooting * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 * Restores the microcode-level fixes that were reverted by release 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) . intel-microcode (3.20200520.1) unstable; urgency=medium . * New upstream microcode datafile 20200520 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 . intel-microcode (3.20200508.1) unstable; urgency=medium . * New upstream microcode datafile 20200508 + Updated Microcodes: sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 * Likely fixes several critical errata on IceLake-U/Y causing system hangs intel-microcode (3.20200609.1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security, no changes . intel-microcode (3.20200609.1) unstable; urgency=high . * SECURITY UPDATE * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending on the processor model * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and L1DCES mitigations, plus mitigations described in the changelog entry for package release 3.20191112.1. * Expect some performance impact, the mitigations are enabled by default. A Linux kernel update will be issued that allows one to selectively disable the mitigations. * New upstream microcode datafile 20200609 * Implements mitigation for CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS), INTEL-SA-00320, CROSSTalk * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling (VRDS), INTEL-SA-00329 * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling (L1DCES), INTEL-SA-00329 * Known to fix the regression introduced in release 2019-11-12 (sig 0x50564, rev. 0x2000065), which would cause several systems with Skylake Xeon, Skylake HEDT processors to hang while rebooting * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 * Restores the microcode-level fixes that were reverted by release 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) . intel-microcode (3.20200520.1) unstable; urgency=medium . * New upstream microcode datafile 20200520 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 . intel-microcode (3.20200508.1) unstable; urgency=medium . * New upstream microcode datafile 20200508 + Updated Microcodes: sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 * Likely fixes several critical errata on IceLake-U/Y causing system hangs intel-microcode (3.20200520.1) unstable; urgency=medium . * New upstream microcode datafile 20200520 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 intel-microcode (3.20200508.1) unstable; urgency=medium . * New upstream microcode datafile 20200508 + Updated Microcodes: sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 * Likely fixes several critical errata on IceLake-U/Y causing system hangs intel-microcode (3.20191115.2) unstable; urgency=medium . * Microcode rollbacks (closes: #946515, LP#1854764): sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 * Avoids hangs on warm reboots (cold boots work fine) on HEDT and Xeon processors with signature 0x50654. https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 intel-microcode (3.20191115.2~deb10u1) buster-security; urgency=high . * Rebuild for buster-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191115.2) unstable; urgency=medium . * Microcode rollbacks (closes: #946515, LP#1854764): sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 * Avoids hangs on warm reboots (cold boots work fine) on HEDT and Xeon processors with signature 0x50654. https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 . intel-microcode (3.20191115.1) unstable; urgency=high . * New upstream microcode datafile 20191115 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 . intel-microcode (3.20191113.1~deb10u1) buster-security; urgency=high . * Rebuild for buster-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191113.1) unstable; urgency=high . * New upstream microcode datafile 20191113 + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details Adds microcode update for CFL-S (Coffe Lake Desktop) INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + Updated Microcodes (previously removed): sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 iptables-persistent (1.0.4+nmu2+deb9u1) stretch; urgency=medium . * Non-maintainer upload * Catch errors in calls to modprobe, thanks Hugo, (Closes: #921186) jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium . * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from polymorphic deserialization. This fixes 20 CVE that currently affect the package namely, CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267. libbusiness-hours-perl (0.13-0+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * New upstream release. - Only change is a fix for a build and runtime failure with dates after 2018-12-31. (Closes: #934842) libbusiness-hours-perl (0.12-2) unstable; urgency=medium . [ gregor herrmann ] * debian/copyright: change Copyright-Format 1.0 URL to HTTPS. . [ Salvatore Bonaccorso ] * Update Vcs-* headers for switch to salsa.debian.org . [ Nick Morrott ] * Declare compliance with Debian Policy 4.2.1 (no changes) * Bump debhelper compatibility level to 10 * Add patch to improve reproducibility on Debian libclamunrar (0.102.3-0+deb9u1) stretch; urgency=medium . * Import 0.102.3 - Updated libclamunrar to UnRAR 5.9.2. * Provide a libclamunrar meta package which depends on the latest binary package. Suggested by Matus UHLAR - fantomas (Closes: #939824). libclamunrar (0.101.2-1) unstable; urgency=high . * Import 0.101.2 - CVE-2019-1785 (A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives) - CVE-2019-1798 (A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives) libdbi (0.9.0-4+deb9u2) stretch; urgency=medium . * Comment out _error_handler() call again. libembperl-perl (2.5.0-10+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Update debian/patches/apache2.4-compat.patch to work with Apache 2.4.40+ error pages. (Closes: #941926) libexif (0.6.21-2+deb9u4) stretch; urgency=medium . * Add upstream patches to fix two security issues: - Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182). - Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198) (Closes: #962345). libexif (0.6.21-2+deb9u3) stretch; urgency=medium . * Add upstream patches to fix multiple security issues: - cve-2020-13112.patch: Fix MakerNote tag size overflow issues at read time (CVE-2020-13112) (Closes: #961407). - cve-2020-13113.patch: Ensure MakerNote data pointers are NULL-initialized (CVE-2020-13113) (Closes: #961409). - cve-2020-13114.patch: Add a failsafe on the maximum number of Canon MakerNote subtags to catch extremely large values in tags (CVE-2020-13114) (Closes: #961410). libexif (0.6.21-2+deb9u2) stretch; urgency=medium . [ Mike Gabriel ] * Sponsored upload. * debian/patches: trivial rebasing of several patches. . [ Hugh McMaster ] * Team upload. * Add upstream patches to fix multiple security issues: - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328) (Closes: #873022). - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466). - cve-2018-20030.patch: Improve deep recursion detection in the function exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730). - cve-2020-12767.patch: Prevent some possible division-by-zero errors in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199). - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093). libexif (0.6.21-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix out of bound write in exif-data.c (CVE-2019-9278) (Closes: #945948) libpam-krb5 (4.7-4+deb9u1) stretch-security; urgency=high . * SECURITY: Fix potential one-byte buffer overflow when the underlying Kerberos library initiates prompting (such as for PKINIT or when the no_prompt PAM option is set). (CVE-2020-10595) libvncserver (0.9.11+dfsg-1.3~deb9u4) stretch; urgency=medium . [ Antoni Villalonga ] * debian/patches: + Add CVE-2019-15690 patch. libvncclient/cursor: limit width/height input values. Avoids a possible heap overflow reported by Pavel Cheremushkin. (Closes: #954163). libxmlrpc3-java (3.1.3-8+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2019-17570: An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. . Clients that expect to get server-side exceptions need to set the enabledForExceptions property to true in order to process serialized exception messages. (Closes: #949089) linux (4.9.228-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.211 - hidraw: Return EPOLLOUT from hidraw_poll - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll - HID: hidraw, uhid: Always report EPOLLOUT - ethtool: reduce stack usage with clang - iommu: Remove device link to group on failure - gpio: Fix error message on out-of-range GPIO in lookup table - hsr: reset network header when supervision frame is created - RDMA/srpt: Report the SCSI residual to the initiator - scsi: enclosure: Fix stale device oops with hot replug - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI - [x86] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 - [armhf] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume - compat_ioctl: handle SIOCOUTQNSD - [ppc64el] powernv: Disable native PCIe port management - [armhf] tty: serial: imx: use the sg count from dma_map_sg - [i386] tty: serial: pch_uart: correct usage of dma_unmap_sg - mtd: spi-nor: fix silent truncation in spi_nor_read() - rtlwifi: Remove unnecessary NULL check in rtl_regd_init - f2fs: fix potential overflow - scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() - [mips*] Prevent link failure with kcov instrumentation - [x86] ioat: ioat_alloc_ring() failure handling. - ocfs2: call journal flush to mark journal as empty after journal recovery when mount - dt-bindings: reset: meson8b: fix duplicate reset IDs - clk: Don't try to enable critical clocks if prepare failed - ALSA: seq: Fix racy access for queue timer in proc read - [x86] Fix built-in early-load Intel microcode alignment - block: fix an integer overflow in logical block size - iio: buffer: align the size of scan bytes to size of the largest element - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx - USB: serial: opticon: fix control-message timeouts - USB: serial: suppress driver bind attributes - USB: serial: ch341: handle unbound port at reset_resume - USB: serial: io_edgeport: add missing active-port sanity check - USB: serial: quatech2: handle unbound ports - usb: core: hub: Improved device recognition on remote wakeup - [x86] efistub: Disable paging at mixed mode entry - perf hists: Fix variable name's inconsistency in hists__for_each() macro - perf report: Fix incorrectly added dimensions as switch perf data file - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() - [arm64] net: stmmac: 16KB buffer must be 16 byte aligned - [arm64] net: stmmac: Enable 16KB buffer size - USB: serial: io_edgeport: use irqsave() in USB's complete callback - USB: serial: io_edgeport: handle unbound ports on URB completion - USB: serial: keyspan: handle unbound ports - scsi: fnic: use kernel's '%pM' format option to print MAC - scsi: fnic: fix invalid stack access - cfg80211: fix page refcount issue in A-MSDU decap - netfilter: fix a use-after-free in mtype_destroy() - netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct - batman-adv: Fix DAT candidate selection on little endian systems - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() - r8152: add missing endpoint sanity check - tcp: fix marked lost packets not being retransmitted - net: usb: lan78xx: limit size of local TSO packets - cfg80211: check for set_wiphy_params - reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() - scsi: qla4xxx: fix double free bug - scsi: bnx2i: fix potential use after free - scsi: target: core: Fix a pr_debug() argument - scsi: core: scsi_trace: Use get_unaligned_be*() - perf probe: Fix wrong address verification https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.212 - xfs: Sanity check flags of Q_XQUOTARM call - [ppc64el] archrandom: fix arch_get_random_seed_int() - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready - drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() - ALSA: hda: fix unused variable warning - IB/rxe: replace kvfree with vfree - ALSA: usb-audio: update quirk for B&W PX to remove microphone - [x86] staging: comedi: ni_mio_common: protect register write overflow - pcrypt: use format specifier in kobject_add - exportfs: fix 'passing zero to ERR_PTR()' warning - [armhf] clk: highbank: fix refcount leak in hb_clk_init() - [armhf] clk: socfpga: fix refcount leak - [armhf] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() - [armhf] clk: imx6q: fix refcount leak in imx6q_clocks_init() - [armhf] clk: armada-370: fix refcount leak in a370_clk_init() - [armel] clk: kirkwood: fix refcount leak in kirkwood_clk_init() - [armhf] clk: armada-xp: fix refcount leak in axp_clk_init() - [x86] IB/usnic: Fix out of bounds index check in query pkey - RDMA/ocrdma: Fix out of bounds index check in query pkey - RDMA/qedr: Fix out of bounds index check in query pkey - [arm64] dts: apq8016-sbc: Increase load on l11 for SDCARD - [armhf] drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump() - crypto: tgr192 - fix unaligned memory access - [armhf] ASoC: imx-sgtl5000: put of nodes if finding codec fails - IB/iser: Pass the correct number of entries for dma mapped SGL - rtc: cmos: ignore bogus century byte - [armhf] clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it - iwlwifi: mvm: fix A-MPDU reference assignment - tty: ipwireless: Fix potential NULL pointer dereference - iwlwifi: mvm: fix RSS config command - [mips*/*-malta] rtc: ds1672: fix unintended sign extension - net: phy: fixed_phy: Fix fixed_phy not checking GPIO - [arm64] rtc: pm8xxx: fix unintended sign extension - iw_cxgb4: use tos when importing the endpoint - iw_cxgb4: use tos when finding ipv6 routes - [armhf] usb: phy: twl6030-usb: fix possible use-after-free on remove - block: don't use bio->bi_vcnt to figure out segment number - keys: Timestamp new keys - vfio_pci: Enable memory accesses before calling pci_map_rom - [arm*] dmaengine: mv_xor: Use correct device for DMA API - cdc-wdm: pass return value of recover_from_urb_loss - drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON - drm/nouveau/pmu: don't print reply values if exec is false - [arm64] ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of() - fs/nfs: Fix nfs_parse_devname to not modify it's argument - NFS: Fix a soft lockup in the delegation recovery code - [armhf] clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable - [armhf] clocksource/drivers/exynos_mct: Fix error path in timer resources initialization - [armhf] 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used - [armhf] 8848/1: virt: Align GIC version check with arm64 counterpart - scsi: megaraid_sas: reduce module load time - xen, cpu_hotplug: Prevent an out of bounds access - media: ivtv: update *pos correctly in ivtv_read_pos() - media: cx18: update *pos correctly in cx18_read_pos() - [armhf] media: wl128x: Fix an error code in fm_download_firmware() - media: cx23885: check allocation return - jfs: fix bogus variable self-initialization - tipc: tipc clang warning - [armhf] OMAP2+: Fix potentially uninitialized return value for _setup_reset() - [armhf,arm64] spi: tegra114: clear packed bit for unpacked mode - [armhf,arm64] spi: tegra114: fix for unpacked mode transfers - [armhf,arm64] spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios - scsi: qla2xxx: Unregister chrdev if module initialization fails - hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses - tipc: set sysctl_tipc_rmem and named_timeout right range - 6lowpan: Off by one handling ->nexthdr - ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk() - packet: in recvmsg msg_name return at least sizeof sockaddr_ll - ASoC: fix valid stream condition - IB/mlx5: Add missing XRC options to QP optional params mask - [x86] iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU - net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry - net: ena: fix: Free napi resources when ena_up() fails - net: ena: fix incorrect test of supported hash function - net: ena: fix ena_com_fill_hash_function() implementation - [arm64] dmaengine: tegra210-adma: restore channel status - l2tp: Fix possible NULL pointer dereference - [armhf] media: omap_vout: potential buffer overflow in vidioc_dqbuf() - [x86] platform/x86: alienware-wmi: printing the wrong error code - netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule - [arm64] pwm: meson: Don't disable PWM when setting duty repeatedly - [arm*] thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power - [arm64] dmaengine: tegra210-adma: Fix crash during probe - [x86] crypto: ccp - fix AES CFB error exposed by new test vectors - iommu: Use right function to get group for device - signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig - inet: frags: call inet_frags_fini() after unregister_pernet_subsys() - media: vivid: fix incorrect assignment operation when setting video mode - [ppc64el] cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild - [arm64] drm/msm/mdp5: Fix mdp5_cfg_init error return - net: netem: fix backlog accounting for corrupted GSO frames - [s390x] net/af_iucv: always register net_device notifier - [armhf] ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs - rtc: pcf8563: Clear event flags and disable interrupts before requesting irq - [arm64] drm/msm/a3xx: remove TPL1 regs from snapshot - perf/ioctl: Add check for the sample_period value - [arm64] clk: qcom: Fix -Wunused-const-variable - [x86] iommu/amd: Make iommu_disable safer - [x86] mfd: intel-lpss: Release IDA resources - rxrpc: Fix uninitialized error code in rxrpc_send_data_packet() - devres: allow const resource arguments - scsi: libfc: fix null pointer dereference on a null lport - libertas_tf: Use correct channel range in lbtf_geo_init - qed: reduce maximum stack frame size - usb: host: xhci-hub: fix extra endianness conversion - [amd64] mic: avoid statically declaring a 'struct device'. - [ppc64el] ALSA: aoa: onyx: always initialize register read value - net/mlx5: Fix mlx5_ifc_query_lag_out_bits - cifs: fix rmmod regression in cifs.ko caused by force_sig changes - ext4: set error return correctly when ext4_htree_store_dirent fails - [armhf] ASoC: es8328: Fix copy-paste error in es8328_right_line_controls - signal: Allow cifs and drbd to receive their terminating signals - [x86] dmaengine: dw: platform: Switch to acpi_dma_controller_register() - mac80211: minstrel_ht: fix per-group max throughput rate initialization - [mips*] avoid explicit UB in assignment of mips_io_port_base - ahci: Do not export local variable ahci_em_messages - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" - hwmon: (lm75) Fix write operations for negative temperatures - power: supply: Init device wakeup after device_add() - bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA - ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init - Btrfs: fix hang when loading existing inode cache off disk - net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' - [x86] iommu/amd: Wait for completion of IOTLB flush in attach_device - [arm64] net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() - [arm64] net: stmmac: dwmac-meson8b: Fix signedness bug in probe - of: mdio: Fix a signedness bug in of_phy_get_and_connect() - [arm64] net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() - nvme: retain split access workaround for capability reads - [arm64] net: stmmac: gmac4+: Not all Unicast addresses may be available - mac80211: accept deauth frames in IBSS mode - llc: fix another potential sk_buff leak in llc_ui_sendmsg() - llc: fix sk_buff refcounting in llc_conn_state_process() - [arm64] net: stmmac: fix length of PTP clock's name string - act_mirred: Fix mirred_init_module error handling - [arm64] drm/msm/dsi: Implement reset correctly - [armhf] dmaengine: imx-sdma: fix size check for sdma script_number - net: netem: fix error path for corrupted GSO frames - net: netem: correct the parent's backlog when corrupted packet was dropped - afs: Fix large file support - [mips*el/loongson-3] Fix return value of loongson_hwmon_init - net: neigh: use long type to store jiffies delta - packet: fix data-race in fanout_flow_is_huge() - [armhf] dmaengine: ti: edma: fix missed failure handling - drm/radeon: fix bad DMA from INTERRUPT_CNTL2 - [arm64] dts: juno: Fix UART frequency - IB/iser: Fix dma_nents type definition - net: ethtool: Add back transceiver type - net: phy: Keep reporting transceiver type - atm: firestream: fix memory leaks - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM - net, ip6_tunnel: fix namespaces move - net, ip_tunnel: fix namespaces move - net_sched: fix datalen for ematch - tcp_bbr: improve arithmetic division in bbr_update_bw() - net: usb: lan78xx: Add .ndo_features_check - gtp: make sure only SOCK_DGRAM UDP sockets are accepted - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input - hwmon: (core) Simplify sysfs attribute name allocation - hwmon: Deal with errors from the thermal subsystem - hwmon: (core) Fix double-free in __hwmon_device_register() - hwmon: (core) Do not use device managed functions for memory allocations - Input: keyspan-remote - fix control-message timeouts - [armel,armhf] 8950/1: ftrace/recordmcount: filter relocation types - [armhf,arm64] mmc: tegra: fix SDR50 tuning override - mmc: sdhci: fix minimum clock rate for v3 controller - Input: sur40 - fix interface sanity checks - Input: gtco - fix endpoint sanity check - Input: aiptek - fix endpoint sanity check - Input: pegasus_notetaker - fix endpoint sanity check - [armhf] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register - tracing: xen: Ordered comparison of function pointers - [arm64] Documentation: Document arm64 kpti control - [arm64] kpti: Whitelist Cortex-A CPUs that don't implement the CSV3 field - bcache: silence static checker warning - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func - md: Avoid namespace collision with bitmap API - bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() - netfilter: ipset: use bitmap infrastructure completely - net/x25: fix nonblocking connect https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.213 - ALSA: pcm: Add missing copy ops check before clearing buffer - orinoco_usb: fix interface sanity check - rsi_91x_usb: fix interface sanity check - USB: serial: ir-usb: add missing endpoint sanity check - USB: serial: ir-usb: fix link-speed handling - USB: serial: ir-usb: fix IrLAP framing - [x86] staging: wlan-ng: ensure error return is actually returned - [x86] staging: vt6656: correct packet types for CTS protect, mode. - [x86] staging: vt6656: use NULLFUCTION stack on mac80211 - [x86] staging: vt6656: Fix false Tx excessive retries reporting. - [arm64] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind - ath9k: fix storage endpoint lookup - brcmfmac: fix interface sanity check - rtl8xxxu: fix interface sanity check - zd1211rw: fix storage endpoint lookup - drivers/net/b44: Change to non-atomic bit operations on pwol_mask - [i386] net: wan: sdla: Fix cast from pointer to integer of different size - [arm64] gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP - atm: eni: fix uninitialized variable warning - usb-storage: Disable UAS on JMicron SATA enclosure - net_sched: ematch: reject invalid TCF_EM_SIMPLE - crypto: af_alg - Use bh_lock_sock in sk_destruct - crypto: pcrypt - Fix user-after-free on module unload - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() - reiserfs: Fix memory leak of journal device string - media: digitv: don't continue if remote control state can't be read - media: af9005: uninitialized variable printked - media: gspca: zero usb_buf - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 - ttyprintk: fix a potential deadlock in interrupt context issue - Bluetooth: Fix race condition in hci_release_sock() - [armhf,arm64] usb: dwc3: turn off VBUS when leaving host mode - media: si470x-i2c: Move free() past last use of 'radio' - [armhf] ARM: dts: beagle-x15-common: Model 5V0 regulator - mac80211: mesh: restrict airtime metric to peered established plinks - ixgbevf: Remove limit of 10 entries for unicast filter list - ixgbe: Fix calculation of queue with VFs and flow director on interface flap - wireless: fix enabling channel 12 for custom regulatory domain - mac80211: Fix TKIP replay protection immediately after key setup - wireless: wext: avoid gcc -O3 warning - vti[6]: fix packet tx through bpf_redirect() - scsi: fnic: do not queue commands during fwreset - airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE - airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE - r8152: get default setting of WOL before initializing - qlcnic: Fix CPU soft lockup while collecting firmware dump - cxgb4: seq_tab_next() should increase position index - cxgb4: l2t_seq_next should increase position index - net: Fix skb->csum update in inet_proto_csum_replace16(). - btrfs: do not zero f_bavail if we have available space https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.214 - media: iguanair: fix endpoint sanity check - [x86] cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR - ASoC: qcom: Fix of-node refcount unbalance to link->codec_of_node - cls_rsvp: fix rsvp_policy - gtp: use __GFP_NOWARN to avoid memalloc warning - net_sched: fix an OOB access in cls_tcindex - rxrpc: Fix insufficient receive notification generation - rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect - tcp: clear tp->total_retrans in tcp_disconnect() - tcp: clear tp->delivered in tcp_disconnect() - tcp: clear tp->data_segs{in|out} in tcp_disconnect() - tcp: clear tp->segs_{in|out} in tcp_disconnect() - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors - brcmfmac: Fix memory leak in brcmf_usbdev_qinit - usb: gadget: legacy: set max_speed to super-speed - usb: gadget: f_ncm: Use atomic_t to track in-flight request - usb: gadget: f_ecm: Use atomic_t to track in-flight request - ALSA: dummy: Fix PCM format loop in proc output - media/v4l2-core: set pages dirty upon releasing DMA buffers - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments - [ppc64el] pseries: Advance pfn if section is not present in lmb_is_removable() - mmc: spi: Toggle SPI polarity, do not hardcode it - ubifs: Change gfp flags in page allocation for bulk read - ubifs: Fix deadlock in concurrent bulk-read and writepage - crypto: api - Check spawn->alg under lock in crypto_drop_spawn - scsi: qla2xxx: Fix mtcp dump collection failure - power: supply: ltc2941-battery-gauge: fix use-after-free - of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc - dm space map common: fix to ensure new block isn't already in use - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request - crypto: api - Fix race condition in crypto_spawn_alg - btrfs: set trans->drity in btrfs_commit_transaction - [armhf] tegra: Enable PLLP bypass during Tegra124 LP1 - mwifiex: fix unbalanced locking in mwifiex_process_country_ie() - sunrpc: expiry_time should be seconds not timeval - [x86] KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c - [x86] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks - [ppc64el] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails - [ppc64el] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails - [x86] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails - [armhf,arm64] clk: tegra: Mark fuse clock as critical - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type - IB/mlx5: Fix outstanding_pi index for GSI qps - nfsd: fix delay timer on 32-bit architectures - nfsd: fix jiffies/time_t mixup in LRU list - ubi: fastmap: Fix inverted logic in seen selfcheck - ubi: Fix an error pointer dereference in error handling code - bonding/alb: properly access headers in bond_alb_xmit() - NFS: switch back to to ->iterate() - NFS: Fix memory leaks and corruption in readdir - NFS: Fix bool initialization/comparison - NFS: Directory page cache pages need to be locked when read - ext4: fix deadlock allocating crypto bounce page from mempool - Btrfs: fix assertion failure on fsync with NO_HOLES enabled - btrfs: use bool argument in free_root_pointers() - btrfs: remove trivial locking wrappers of tree mod log - Btrfs: fix race between adding and putting tree mod seq elements and nodes - [x86] KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks - btrfs: flush write bio if we loop in extent_write_cache_pages - [x86] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM - [x86] KVM: nVMX: vmread should not set rflags to specify success in case of #PF - cifs: fail i/o on soft mounts if sessionsetup errors out - clocksource: Prevent double add_timer_on() for watchdog_timer - perf/core: Fix mlock accounting in perf_mmap() - rxrpc: Fix service call disconnection - ASoC: pcm: update FE/BE trigger order based on the command - RDMA/netlink: Do not always generate an ACK for some netlink operations - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails - PCI: Don't disable bridge BARs when assigning bus resources - nfs: NFS_SWAP should depend on SWAP - NFSv4: try lease recovery on NFS4ERR_EXPIRED - rtc: cmos: Stop using shared IRQ - [ppc64el] pseries: Allow not having ibm, hypertas-functions:: hcall-multi-tce for DDW - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state - dm: fix potential for q->make_request_fn NULL pointer - libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held - libertas: make lbs_ibss_join_existing() return error code on rates overflow https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.215 - [x86] vdso: Use RDPID in preference to LSL when available - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs - ecryptfs: fix a memory leak bug in parse_tag_1_packet() - ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 - ext4: don't assume that mmp_nodename/bdevname have NUL - ext4: fix checksum errors with indexed dirs - ext4: improve explanation of a mount failure caused by a misconfigured kernel - Btrfs: fix race between using extent maps and merging them - btrfs: log message when rw remount is attempted with unclean tree-log - [x86] perf/x86/amd: Add missing L2 misses event spec to AMD Family 17h's event map - padata: Remove broken queue flushing - [s390x] time: Fix clk type in get_tod_clock - [x86] perf/x86/intel: Fix inaccurate period in context switch for auto-reload - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer - btrfs: print message when tree-log replay starts - scsi: qla2xxx: fix a potential NULL pointer dereference - [x86] drm/gma500: Fixup fbdev stolen size usage evaluation - cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order - brcmfmac: Fix use after free in brcmf_sdio_readframes() - [ppc64el] powernv/iov: Ensure the pdn for VFs always contains a valid PE number - [x86] pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins - [x86] efi/x86: Map the entire EFI vendor string before copying it - [mips*el/loongson-3] Fix potential NULL dereference in loongson3_platform_init() - uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() - usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal - [x86] sysfb: Fix check for bad VRAM size - tracing: Fix tracing_stat return values in error handling paths - tracing: Fix very unlikely race of registering two stat tracers - ext4, jbd2: ensure panic when aborting with zero errno - [arm64] clk: qcom: rcg2: Don't crash if our parent can't be found; return an error - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table - [armhf] regulator: rk808: Lower log level on optional GPIOs being not available - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu(). - media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling - b43legacy: Fix -Wcast-function-type - [x86] ipw2x00: Fix -Wcast-function-type - iwlegacy: Fix -Wcast-function-type - rtlwifi: rtl_pci: Fix -Wcast-function-type - orinoco: avoid assertion in case of NULL pointer - ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 - RDMA/rxe: Fix error type of mmap_offset - usbip: Fix unsafe unaligned pointer usage - udf: Fix free space reporting for metadata and virtual partitions - [armhf] soc/tegra: fuse: Correct straps' address for older Tegra124 device trees - rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls - driver core: platform: Prevent resouce overflow from causing infinite loops - driver core: Print device when resources present in really_probe() - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler - [x86] drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add - [armhf] usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue - [arm64] iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE - scsi: iscsi: Don't destroy session if there are outstanding connections - [arm64] fix alternatives with LLVM's integrated assembler - [armhf] pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional - cmd64x: potential buffer overflow in cmd64x_program_timings() - [x86] decoder: Add TEST opcode to Group3-2 - [s390x] ftrace: generate traced function stack frame - driver core: platform: fix u32 greater or equal to zero comparison - [x86] ALSA: hda - Add docking station support for Lenovo Thinkpad T420s - [ppc64el] sriov: Remove VF eeh_dev state when disabling SR-IOV - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop - cifs: fix NULL dereference in match_prepath - [armhf,arm64] irqchip/gic-v3: Only provision redistributors that are enabled in ACPI - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided - ftrace: fpid_next() should increase position index - tracing: trigger_next should increase position index - radeon: insert 10ms sleep in dce5_crtc_load_lut - ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() - reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() - bcache: explicity type cast in bset_bkey_last() - [armhf,arm64] irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL - iwlwifi: mvm: Fix thermal zone registration - brd: check and limit max_part par - selinux: ensure we cleanup the internal AVC counters on error in avc_update() - enic: prevent waking up stopped tx queues over watchdog reset - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS - staging: android: ashmem: Disallow ashmem memory from being remapped (CVE-2020-0009) - [x86] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi. - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range. - usb: uas: fix a plug & unplug racing - USB: Fix novation SourceControl XL after suspend - USB: hub: Don't record a connect-change event during reset-resume - staging: rtl8188eu: Fix potential security hole - staging: rtl8188eu: Fix potential overuse of kernel memory - [x86] mce/amd: Publish the bank pointer only after setup has succeeded - [x86] mce/amd: Fix kobject lifetime - [armhf] tty: serial: imx: setup the correct sg entry for tx dma - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" - [x86] xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms - [x86] KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI - netfilter: xt_bpf: add overflow checks - ext4: fix a data race in EXT4_I(inode)->i_disksize - ext4: add cond_resched() to __ext4_find_entry() - ext4: fix mount failure with quota configured as module - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL - [x86] KVM: apic: avoid calculating pending eoi from an uninitialized val - Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents - scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" - usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus - ecryptfs: replace BUG_ON with error handling code - ALSA: rawmidi: Avoid bit fields for state flags - ALSA: seq: Avoid concurrent access to queue flags - ALSA: seq: Fix concurrent access to queue current tick/time - netfilter: xt_hashlimit: limit the max size of hashtable - ata: ahci: Add shutdown to freeze hardware resources of ahci - xen: Enable interrupts when calling _cond_resched() - [s390x] mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.216 - iwlwifi: pcie: fix rb_allocator workqueue allocation - ext4: fix potential race between online resizing and write operations - ext4: fix potential race between s_flex_groups online resizing and access - ext4: fix potential race between s_group_info online resizing and access - ipmi:ssif: Handle a possible NULL pointer reference - [arm64] drm/msm: Set dma maximum segment size for mdss - mac80211: consider more elements in parsing CRC - cfg80211: check wiphy driver existence for drvinfo report - qmi_wwan: re-add DW5821e pre-production variant - net: ena: fix potential crash when rxfh key is NULL - net: ena: add missing ethtool TX timestamping indication - net: ena: fix incorrect default RSS key - net: ena: rss: fix failure to get indirection table - net: ena: rss: store hash function as values and not bits - net: ena: fix incorrectly saving queue numbers when setting RSS indirection table - net: ena: ena-com.c: prevent NULL pointer dereference - cifs: Fix mode output in debugging statements - cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE - sysrq: Restore original console_loglevel when sysrq disabled - sysrq: Remove duplicated sysrq message - net: fib_rules: Correctly set table field when table number exceeds 8 bits - net: phy: restore mdio regs in the iproc mdio driver - ipv6: Fix nlmsg_flags when splitting a multipath route - ipv6: Fix route replacement with dev-only route - sctp: move the format error check out of __sctp_sf_do_9_1_abort - [x86] nfc: pn544: Fix occasional HW initialization failure - net: sched: correct flower port blocking - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() - audit: fix error handling in audit_data_to_entry() - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro - ACPI: watchdog: Fix gas->access_width usage - HID: core: fix off-by-one memset in hid_report_raw_event() - HID: core: increase HID report buffer size to 8KiB - HID: hiddev: Fix race in in hiddev_disconnect() - [mips*] VPE: Fix a double free and a memory leak in 'release_vpe()' - ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66 - serial: 8250: Check UPF_IRQ_SHARED in advance - include/linux/bitops.h: introduce BITS_PER_TYPE - net: netlink: cap max groups which will be considered in netlink_bind() - net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE - namei: only return -ECHILD from follow_dotdot_rcu() - KVM: Check for a bad hva before dropping into the ghc slow path - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE - [arm64] drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' - perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc - mm/huge_memory.c: use head to check huge zero page - audit: always check the netlink payload length in audit_receive_msg() - usb: gadget: composite: Support more than 500mA MaxPower - usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags - usb: gadget: serial: fix Tx stall after buffer overflow - [arm64] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI - [arm64] drm/msm/dsi: save pll state before dsi host is powered off - [s390x] cio: cio_ignore_proc_seq_next should increase position index - cifs: don't leak -EAGAIN for stat() during reconnect - usb: storage: Add quirk for Samsung Fit flash - usb: quirks: add NO_LPM quirk for Logitech Screen Share - usb: core: hub: do error out if usb_autopm_get_interface() fails - usb: core: port: do error out if usb_autopm_get_interface() fails - fat: fix uninit-memory access for partial initialized inode - [arm64] tty:serial:mvebu-uart:fix a wrong return - [x86] pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes - [armhf,arm64] dmaengine: tegra-apb: Fix use-after-free - [armhf,arm64] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output - ASoC: dapm: Correct DAPM handling of active widgets during shutdown - RDMA/iwcm: Fix iwcm work deallocation - RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() - [ppc64el] fix hardware PMU exception bug on PowerVM compatibility mode systems - dm cache: fix a crash due to incorrect work item cancelling - crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.217 - NFS: Remove superfluous kmap in nfs_readdir_xdr_to_array - phy: Revert toggling reset changes. - net: phy: Avoid multiple suspends - cgroup, netclassid: periodically release file_lock on classid updating - gre: fix uninit-value in __iptunnel_pull_header - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface - net: macsec: update SCI upon MAC address change. - net: nfc: fix bounds checking bugs on "pipe" - r8152: check disconnect status after long sleep - bnxt_en: reinitialize IRQs when MTU is modified - fib: add missing attribute validation for tun_id - nl802154: add missing attribute validation - nl802154: add missing attribute validation for dev_type - macsec: add missing attribute validation for port - net: fq: add missing attribute validation for orphan mask - team: add missing attribute validation for port ifindex - team: add missing attribute validation for array index - nfc: add missing attribute validation for SE API - nfc: add missing attribute validation for vendor subcommand - ipvlan: add cond_resched_rcu() while processing muticast backlog - ipvlan: do not add hardware address of master to its unicast filter list - ipvlan: egress mcast packets are not exceptional - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() - ipvlan: don't deref eth hdr before checking it's set - macvlan: add cond_resched() during multicast processing - bonding/alb: make sure arp header is pulled before accessing it - cgroup: memcg: net: do not associate sock with unrelated cgroup - net: phy: fix MDIO bus PM PHY resuming - virtio-blk: fix hw_queue stopped on arbitrary error - [x86] iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint - workqueue: don't use wq_select_unbound_cpu() for bound works - drm/amd/display: remove duplicated assignment to grph_obj_type - cifs_atomic_open(): fix double-put on late allocation failure - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache - [x86] KVM: x86: clear stale x86_emulate_ctxt->intercept value - efi: Fix a race and a buffer overflow while reading efivars via sysfs - [x86] iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint - [x86] iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page - nl80211: add missing attribute validation for critical protocol indication - nl80211: add missing attribute validation for beacon report scanning - nl80211: add missing attribute validation for channel switch - netfilter: cthelper: add missing attribute validation for cthelper - [x86] iommu/vt-d: Fix the wrong printing in RHSA parsing - [x86] iommu/vt-d: Ignore devices with out-of-spec domain number - ipv6: restrict IPV6_ADDRFORM operation - efi: Add a sanity check to efivar_store_raw() - batman-adv: Fix double free during fragment merge error - batman-adv: Fix transmission of final, 16th fragment - batman-adv: Initialize gw sel_class via batadv_algo - batman-adv: Fix rx packet/bytes stats on local ARP reply - batman-adv: Use default throughput value on cfg80211 error - batman-adv: Accept only filled wifi station info - batman-adv: fix TT sync flag inconsistencies - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation - batman-adv: Always initialize fragment header priority - batman-adv: Fix check of retrieved orig_gw in batadv_v_gw_is_eligible - batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq - batman-adv: Fix internal interface indices types - batman-adv: Avoid race in TT TVLV allocator helper - batman-adv: Fix TT sync flags for intermediate TT responses - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs - batman-adv: Fix debugfs path for renamed hardif - batman-adv: Fix debugfs path for renamed softif - batman-adv: Avoid storing non-TT-sync flags on singular entries too - batman-adv: Fix multicast TT issues with bogus ROAM flags - batman-adv: Prevent duplicated gateway_node entry - batman-adv: Fix duplicated OGMs on NETDEV_UP - batman-adv: Avoid free/alloc race when handling OGM2 buffer - batman-adv: Avoid free/alloc race when handling OGM buffer - batman-adv: Don't schedule OGM for disabled interface - batman-adv: update data pointers after skb_cow() - batman-adv: Avoid probe ELP information leak - batman-adv: Use explicit tvlv padding for ELP packets - [x86] perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag - ACPI: watchdog: Allow disabling WDAT at boot - HID: apple: Add support for recent firmware on Magic Keyboards - [x86] HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override - cfg80211: check reg_rule for NULL in handle_channel_custom() - mac80211: rx: avoid RCU list traversal under mutex - signal: avoid double atomic counter increments for user accounting - jbd2: fix data races at struct journal_head - [armhf] 8957/1: VDSO: Match ARMv8 timer in cntvct_functional() - [armel,armhf] 8958/1: rename missed uaccess .fixup section - mm: slub: add missing TID bump in kmem_cache_alloc_bulk() - ipv4: ensure rcu_read_lock() in cipso_v4_error() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.218 - [arm64] spi: qup: call spi_qup_pm_resume_runtime before suspending - [armhf] dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes - [armhf] drm/exynos: dsi: propagate error value and silence meaningless warning - [armhf] drm/exynos: dsi: fix workaround for the legacy clock name - USB: Disable LPM on WD19's Realtek Hub - usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters - USB: serial: option: add ME910G1 ECM composition 0x110b - usb: host: xhci-plat: add a shutdown - USB: serial: pl2303: add device-id for HP LD381 - ALSA: line6: Fix endless MIDI read loop - ALSA: seq: virmidi: Fix running status after receiving sysex - ALSA: seq: oss: Fix running status after receiving sysex - ALSA: pcm: oss: Avoid plugin buffer overflow - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks - staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 - staging/speakup: fix get_word non-space look-ahead - [x86] intel_th: Fix user-visible error codes - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event - mm: slub: be more careful about the double cmpxchg of freelist - mm, slub: prevent kmalloc_node crashes and memory leaks - [x86] mm: split vmalloc_sync_all() - USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL - USB: cdc-acm: fix rounding error in TIOCSSERIAL - futex: Fix inode life-time issue - futex: Unbreak futex hashing - [arm64] smp: fix smp_send_stop() behaviour - hsr: fix general protection fault in hsr_addr_is_self() - macsec: restrict to ethernet devices - net: dsa: Fix duplicate frames flooded by learning - net_sched: cls_route: remove the right filter from hashtable - net_sched: keep alloc_hash updated after hash allocation - vxlan: check return value of gro_cells_init() - [armhf] net: mvneta: Fix the case where the last poll did not process all rx - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() - hsr: add restart routine into hsr_get_node_list() - hsr: set .netnsok flag - [x86] KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr - net: ipv4: don't let PMTU updates increase route MTU - cpupower: avoid multiple definition with gcc -fno-common - scsi: ipr: Fix softlockup when rescanning devices in petitboot - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled - [armhf] dts: dra7: Add bus_dma_limit for L3 bus - [armhf] dts: omap5: Add bus_dma_limit for L3 bus - perf probe: Do not depend on dwfl_module_addrsym() - scripts/dtc: Remove redundant YYLOC global declaration - scsi: sd: Fix optimal I/O size for devices that change reported values - mac80211: mark station unauthorized before key removal - genirq: Fix reference leaks on irq affinity notifiers - vti[6]: fix packet tx through bpf_redirect() in XinY cases - xfrm: fix uctx len check in verify_sec_ctx_len - xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire - xfrm: policy: Fix doulbe free in xfrm_policy_timer - netfilter: nft_fwd_netdev: validate family and chain type - vti6: Fix memory leak of skb if input policy check fails - tools: Let O= makes handle a relative path with -C option - USB: serial: option: add support for ASKEY WWHC050 - USB: serial: option: add BroadMobi BM806U - USB: serial: option: add Wistron Neweb D19Q1 - USB: cdc-acm: restore capability check order - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback - [armhf] usb: musb: fix crash with highmen PIO and usbmon - media: flexcop-usb: fix endpoint sanity check - media: usbtv: fix control-message timeouts - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table - [x86] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb - [x86] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback - libfs: fix infoleak in simple_attr_read() - media: dib0700: fix rc endpoint lookup - mac80211: Check port authorization in the ieee80211_tx_dequeue() case - mac80211: fix authentication with iwlwifi/mvm - bpf: Explicitly memset the bpf_attr structure - perf map: Fix off by one in strncpy() size argument https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.219 - l2tp: ensure sessions are freed after their PPPOL2TP socket - l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall() - drm/bochs: downgrade pci_request_region failure from error to warning - ipv4: fix a RCU-list lock in fib_triestat_seq_show - net, ip_tunnel: fix interface lookup with no key - sctp: fix refcount bug in sctp_wfree - sctp: fix possibly using a bad saddr with a given dst - [armhf] drm/etnaviv: replace MMU flush marker with flush sequence - blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter - blk-mq: Allow blocking queue tag iter callbacks - [armhf] net: dsa: tag_brcm: Fix skb->fwd_offload_mark location - padata: always acquire cpu_hotplug_lock before pinst->lock - [armhf] net: dsa: bcm_sf2: Ensure correct sub-node is parsed - [armhf,arm64] net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers - IB/hfi1: Call kobject_put() when kobject_init_and_add() fails - IB/hfi1: Fix memory leaks in sysfs registration and unregistration - ceph: remove the extra slashes in the server path - ceph: canonicalize server path in place - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl - RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow - [arm64] clk: qcom: rcg: Return failure for RCG update - [arm64] drm/msm: stop abusing dma_map/unmap for cache - [arm64] Fix size of __early_cpu_boot_status - [armhf,arm64] usb: dwc3: don't set gadget->is_otg flag - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() - [arm64] drm/msm: Use the correct dma_sync calls in msm_gem https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.220 - net: vxge: fix wrong __VA_ARGS__ usage - qlcnic: Fix bad kzalloc null test - sched: Avoid scale real weight down to zero - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() - [x86] boot: Use unsigned comparison for addresses - locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps() - btrfs: remove a BUG_ON() from merge_reloc_roots() - btrfs: track reloc roots based on their commit root bytenr - misc: rtsx: set correct pcr_ops for rts522A - ASoC: fix regwmask - ASoC: dapm: connect virtual mux with default value - ASoC: dpcm: allow start or stop during pause for backend - ASoC: topology: use name_prefix for new kcontrol - usb: gadget: f_fs: Fix use after free issue as part of queue failure - usb: gadget: composite: Inform controller driver of self-powered - ALSA: usb-audio: Add mixer workaround for TRX40 and co - ALSA: hda: Add driver blacklist - ALSA: hda: Fix potential access overflow in beep helper - ALSA: ice1724: Fix invalid access for enumerated ctl items - ALSA: pcm: oss: Fix regression by buffer overflow fix - [armhf] media: ti-vpe: cal: fix disable_irqs to only the intended target - [x86] acpi/x86: ignore unspecified bit positions in the ACPI global lock field - KEYS: reaching the keys quotas correctly - [mips*] OCTEON: irq: Fix potential NULL pointer dereference - ath9k: Handle txpower changes even when TPC is disabled - signal: Extend exec_id to 64bits (CVE-2020-12826) - [i386] x86/entry/32: Add missing ASM_CLAC to general_protection entry - [s390x] KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks - [s390x] KVM: s390: vsie: Fix delivery of addressing exceptions - [x86] KVM: x86: Allocate new rmap and large page tracking when moving memslot - [x86] KVM: VMX: Always VMCLEAR in-use VMCSes during crash with kexec support - [x86] KVM: VMX: fix crash cleanup when KVM wasn't used - btrfs: drop block from cache on error in relocation - ALSA: hda: Initialize power_state field properly - [x86] speculation: Remove redundant arch_smt_update() invocation - mm: Use fixed constant in page_frag_alloc instead of size + 1 - dm verity fec: fix memory leak in verity_fec_dtr - [s390x] scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point - [arm64] armv8_deprecated: Fix undef_hook mask for thumb setend - [armhf] rtc: omap: Use define directive for PIN_CONFIG_ACTIVE_HIGH - ext4: fix a data race at inode->i_blocks - ocfs2: no need try to truncate file beyond i_size - [s390x] diag: fix display of diagnose call statistics - [x86] Input: i8042 - add Acer Aspire 5738z to nomux list - kmod: make request_module() return an error when autoloading is disabled - [ppc64el] cpufreq: powernv: Fix use-after-free - hfsplus: fix crash and filesystem corruption when deleting files - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set - [ppc64el] 64/tm: Don't let userspace set regs->trap via sigreturn - Btrfs: fix crash during unmount due to race with delayed inode workers - drm/dp_mst: Fix clearing payload state on topology disable - drm: Remove PageReserved manipulation from drm_pci_alloc - ipmi: fix hung processes in __get_guid() - hsr: check protocol version in hsr_newlink() - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin - net: ipv6: do not consider routes via gateways for anycast address check - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic - jbd2: improve comments about freeing data buffers whose page mapping is NULL - ext4: fix incorrect group count in ext4_fill_super error message - ext4: fix incorrect inodes per group in error message - [x86] ASoC: Intel: mrfld: fix incorrect check on p->sink - [x86] ASoC: Intel: mrfld: return error codes when an error occurs - ALSA: usb-audio: Don't override ignore_ctl_error value from the map - btrfs: check commit root generation in should_ignore_root - mac80211_hwsim: Use kstrndup() in place of kasprintf() - ext4: do not zeroout extents beyond i_disksize - dm flakey: check for null arg_name in parse_features() - [x86] kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBD - scsi: target: remove boilerplate code - scsi: target: fix hang when multiple threads try to destroy the same iscsi session - tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation - objtool: Fix switch table detection in .text.unlikely - ALSA: hda: Don't release card at firmware loading error - video: fbdev: sis: Remove unnecessary parentheses and commented code - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem - Revert "gpio: set up initial state from .get_direction()" - wil6210: increase firmware ready timeout - wil6210: fix temperature debugfs - scsi: ufs: make sure all interrupts are processed - scsi: ufs: ufs-qcom: remove broken hci version quirk - wil6210: rate limit wil_rx_refill error - [arm64] rtc: pm8xxx: Fix issue in RTC write path - wil6210: fix length check in __wmi_send - of: fix missing kobject init for !SYSFS && OF_DYNAMIC config - [arm64] cpu_errata: include required headers - of: unittest: kmemleak in of_unittest_platform_populate() - [armhf,arm64] power: supply: bq27xxx_battery: Silence deferred-probe error - [armhf,arm64] clk: tegra: Fix Tegra PMC clock out parents - NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails - [s390x] cpuinfo: fix wrong output when CPU0 is offline - [ppc64el] maple: Fix declaration made after definition - ext4: do not commit super on read-only bdev - percpu_counter: fix a data race at vm_committed_as - [s390x] KVM: s390: vsie: Fix possible race when shadowing region 3 tables - NFS: Fix memory leaks in nfs_pageio_stop_mirroring() - libnvdimm: Out of bounds read in __nd_ioctl() - [x86] iommu/amd: Fix the configuration of GCR3 table root pointer - fbdev: potential information leak in do_fb_ioctl() - tty: evh_bytechan: Fix out of bounds accesses - mtd: lpddr: Fix a double free in probe() - mtd: phram: fix a double free issue in error path - [x86] CPU: Add native CPUID variants returning a single datum - [x86] microcode/intel: replace sync_core() with native_cpuid_reg(eax) - [x86] vdso: Fix lsl operand order https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.221 - ext4: fix extent_status fragmentation for plain files - net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() - net: ipv4: avoid unused variable warning for sysctl - [arm64] drm/msm: Use the correct dma_sync calls harder - vti4: removed duplicate log message. - watchdog: reset last_hw_keepalive time at start - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login - ceph: return ceph_mdsc_do_request() errors from __get_parent() - ceph: don't skip updating wanted caps when cap is stale - scsi: iscsi: Report unbind session event when the target has been removed - [x86] ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() - kernel/gcov/fs.c: gcov_seq_next() should increase position index - ipc/util.c: sysvipc_find_ipc() should increase position index - [s390x] cio: avoid duplicated 'ADD' uevents - [armhf,arm64] pwm: bcm2835: Dynamically allocate base - PCI/ASPM: Allow re-enabling Clock PM - ipv6: fix restrict IPV6_ADDRFORM operation - macsec: avoid to set wrong mtu - macvlan: fix null dereference in macvlan_device_event() - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node - net/x25: Fix x25_neigh refcnt leak when receiving frame - tcp: cache line align MAX_TCP_HEADER - team: fix hang in team_mode_get() - [armhf] net: dsa: b53: Fix ARL register definitions - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish - [x86] ALSA: hda: Remove ASUS ROG Zenith from the blacklist - USB: sisusbvga: Change port variable from signed to unsigned - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE - USB: hub: Fix handling of connect changes during sleep - overflow.h: Add arithmetic shift helper - vmalloc: fix remap_vmalloc_range() bounds checks - ALSA: usx2y: Fix potential NULL dereference - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif - ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices - [x86] tpm/tpm_tis: Free IRQ if probing fails - KVM: Check validity of resolved slot when searching memslots - [i386] KVM: VMX: Enable machine check support for 32bit targets - tty: hvc: fix buffer overflow during hvc_alloc(). - [x86] tty: rocket, avoid OOB access - usb-storage: Add unusual_devs entry for JMicron JMS566 - audit: check the length of userspace generated audit records - ASoC: dapm: fixup dapm kcontrol widget - [i386] staging: comedi: dt2815: fix writing hi byte of analog output - staging: comedi: Fix comedi_device refcnt leak in comedi_open - [x86] staging: vt6656: Fix drivers TBTT timing counter. - [x86] staging: vt6656: Power save stop wake_up_count wrap around. - UAS: no use logging any details in case of ENODEV - UAS: fix deadlock in error handling and PM flushing work - usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() - remoteproc: Fix wrong rvring index computation - fuse: fix possibly missed wake-up after abort - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer - nfsd: memory corruption in nfsd4_lock() - net/cxgb4: Check the return from t4_query_params properly - perf/core: fix parent pid/tid in task exit events - [x86] bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B - xfs: fix partially uninitialized structure in xfs_reflink_remap_extent - scsi: target: fix PR IN / READ FULL STATUS for FC - objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings - objtool: Support Clang non-section symbols in ORC dump - xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status - ext4: convert BUG_ON's to WARN_ON's in mballoc.c - hwmon: (jc42) Fix name to have no illegal characters - ext4: check for non-zero journal inum in ext4_calculate_overhead https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.222 - ext4: fix special inode number checks in __ext4_iget() - drm/edid: Fix off-by-one in DispID DTD pixel clock - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() - btrfs: fix block group leak when removing fails - ALSA: hda/hdmi: fix without unlocked before return - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly - PM: ACPI: Output correct message on target power state - PM: hibernate: Freeze kernel threads in software_resume() - dm verity fec: fix hash block number in verity_fec_decode - RDMA/mlx4: Initialize ib_spec on the stack - vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() - [x86] iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system - [i386] ALSA: opti9xx: shut up gcc-10 range warning - nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl - dmaengine: dmatest: Fix iteration non-stop logic - drm/qxl: qxl_release use after free https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.223 - vhost: vsock: kick send_pkt worker once device is started - [ppc64el] pci/of: Parse unassigned resources - [armhf] ASoC: sgtl5000: Fix VAG power-on handling - wimax/i2400m: Fix potential urb refcnt leak - [armhf,arm64] net: stmmac: Fix sub-second increment - cifs: protect updating server->dstaddr with a spinlock - scripts/config: allow colons in option strings for sed - [armhf] net: dsa: b53: Rework ARL bin logic - lib/mpi: Fix building for powerpc with clang - xprtrdma: Fix backchannel allocation of extra rpcrdma_reps - [mips*] perf: Remove incorrect odd/even counter handling for I6400 - sctp: Fix SHUTDOWN CTSN Ack in the peer restart case - [x86] ALSA: hda: Match both PCI ID and SSID for driver blacklist - mac80211: add ieee80211_is_any_nullfunc() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.224 - USB: serial: qcserial: Add DW5816e support - dp83640: reverse arguments to list_add_tail - fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks - net: macsec: preserve ingress frame ordering - net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() - net: usb: qmi_wwan: add support for DW5816e - sch_choke: avoid potential panic in choke_reset() - sch_sfq: validate silly quantum values - bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). - net/mlx5: Fix forced completion access non initialized command entry - net/mlx5: Fix command entry leak in Internal Error State - bnxt_en: Improve AER slot reset. - [x86] Revert "ACPI / video: Add force_native quirk for HP Pavilion dv6" - binfmt_elf: move brk out of mmap when doing direct loader exec - USB: uas: add quirk for LaCie 2Big Quadra - USB: serial: garmin_gps: add sanity checking for data length - tracing: Add a vmalloc_sync_mappings() for safe measure - mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() - batman-adv: fix batadv_nc_random_weight_tq - batman-adv: Fix refcnt leak in batadv_show_throughput_override - batman-adv: Fix refcnt leak in batadv_store_throughput_override - batman-adv: Fix refcnt leak in batadv_v_ogm_process - objtool: Fix stack offset tracking for indirect CFAs - binfmt_elf: Do not move brk for INTERP-less ET_EXEC - net: ipv6: add net argument to ip6_dst_lookup_flow - net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (CVE-2020-1749) - ptp: do not explicitly set drvdata in ptp_clock_register() - ptp: use is_visible method to hide unused attributes - ptp: create "pins" together with the rest of attributes - chardev: add helper function to register char devs with a struct device - ptp: Fix pass zero to ERR_PTR() in ptp_clock_register - ptp: fix the race between the release of ptp_clock and cdev (CVE-2020-10690) - ptp: free ptp device pin descriptors properly - shmem: fix possible deadlocks on shmlock_user_lock - drop_monitor: work around gcc-10 stringop-overflow warning - spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls (CVE-2020-12769) - cifs: Check for timeout on Negotiate stage - cifs: Fix a race condition with cifs_echo_request - [x86] dmaengine: pch_dma.c: Avoid data race between probe and irq handler - ALSA: hda/hdmi: fix race in monitor detection during probe - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() - ipc/util.c: sysvipc_find_ipc() incorrectly updates position index - [x86] pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler - i40iw: Fix error handling in i40iw_manage_arp_cache() - netfilter: conntrack: avoid gcc-10 zero-length-bounds warning - IB/mlx4: Test return value of calls to ib_get_cached_pkey - pnp: Use list_for_each_entry() instead of open coding - gcc-10 warnings: fix low-hanging fruit - Stop the ad-hoc games with -Wno-maybe-initialized - net: phy: micrel: Use strlcpy() for ethtool::get_strings - net: fix a potential recursive NETDEV_FEAT_CHANGE - Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" - net: ipv4: really enforce backoff for redirects - netprio_cgroup: Fix unlimited memory leak of v2 cgroups - [x86] ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 - ALSA: rawmidi: Initialize allocated buffers - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset - usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list - exec: Move would_dump into flush_old_exec - usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' - usb: gadget: audio: Fix a missing error return value in audio_bind() - usb: gadget: legacy: fix error return code in gncm_bind() - usb: gadget: legacy: fix error return code in cdc_bind() - [x86] KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce - Makefile: disallow data races on gcc-10 as well https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.225 - igb: use igb_adapter->io_addr instead of e1000_hw->hw_addr - padata: Remove unused but set variables - padata: get_next is never NULL - padata: ensure the reorder timer callback runs on the correct CPU - padata: ensure padata_do_serial() runs on the correct CPU - ima: Fix return value of ima_write_policy() - vfs: fix multiplication overflow in copy_fdtable() - [x86] iommu/amd: Fix over-read of ACPI UID from IVRS table - HID: multitouch: add eGalaxTouch P80H84 support - configfs: fix config_item refcnt leak in configfs_rmdir() - component: Silence bind error on -EPROBE_DEFER - gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() - ceph: fix double unlock in handle_cap_export() - USB: core: Fix misleading driver bug report - [x86] platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA - [armel,armhf] futex: Address build warning - i2c: dev: Fix the race between the release of i2c_dev and cdev - padata: set cpu_index of unused CPUs to -1 - padata: Replace delayed timer with immediate workqueue in padata_reorder - padata: initialize pd->cpu with effective cpumask - padata: purge get_cpu and reorder_via_wq from padata_do_serial - [arm64] fix the flush_icache_range arguments in machine_kexec - watchdog: Fix the race between the release of watchdog_core_data and cdev - net: l2tp: export debug flags to UAPI - net: l2tp: deprecate PPPOL2TP_MSG_* in favour of L2TP_MSG_* - net: l2tp: ppp: change PPPOL2TP_MSG_* => L2TP_MSG_* - net: New kernel function to get IP overhead on a socket. - L2TP:Adjust intf MTU, add underlay L3, L2 hdrs. - l2tp: remove useless duplicate session detection in l2tp_netlink - l2tp: remove l2tp_session_find() - l2tp: define parameters of l2tp_session_get*() as "const" - l2tp: define parameters of l2tp_tunnel_find*() as "const" - l2tp: initialise session's refcount before making it reachable - l2tp: hold tunnel while looking up sessions in l2tp_netlink - l2tp: hold tunnel while processing genl delete command - l2tp: hold tunnel while handling genl tunnel updates - l2tp: hold tunnel while handling genl TUNNEL_GET commands - l2tp: hold tunnel used while creating sessions with netlink - l2tp: prevent creation of sessions on terminated tunnels - l2tp: pass tunnel pointer to ->session_create() (CVE-2018-9517) - l2tp: fix l2tp_eth module loading - l2tp: don't register sessions in l2tp_session_create() - l2tp: initialise l2tp_eth sessions before registering them - l2tp: protect sock pointer of struct pppol2tp_session with RCU - l2tp: initialise PPP sessions before registering them - ALSA: pcm: fix incorrect hw_base increase - [arm64] dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' - l2tp: device MTU setup, tunnel socket needs a lock - [x86] platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer - libnvdimm/btt: Remove unnecessary code in btt_freelist_init - cxgb4: free mac_hlist properly - cxgb4/cxgb4vf: Fix mac_hlist initialization and free - [x86] mei: release me_cl object reference https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.226 - ax25: fix setsockopt(SO_BINDTODEVICE) - net: ipip: fix wrong address family in init error path - net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" - net sched: fix reporting the first-time use timestamp - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed - net/mlx5e: Update netdev txq on completions during closure - net/mlx5: Add command entry handling completion - net: sun: fix missing release regions in cas_init_one(). - net/mlx4_core: fix a memory leak bug. - uapi: fix linux/if_pppol2tp.h userspace compilation errors - IB/cma: Fix reference count leak when no ipv4 addresses are set - [armhf,arm64] gpio: tegra: mask GPIO IRQs during IRQ shutdown - gfs2: move privileged user check to gfs2_quota_lock_check - cachefiles: Fix race between read_waiter and read_copier involving op->to_do - usb: gadget: legacy: fix redundant initialization warnings - cifs: Fix null pointer check in cifs_read - Input: usbtouchscreen - add support for BonXeon TP - Input: evdev - call input_flush_device() on release(), not flush() - Input: xpad - add custom init packet for Xbox One S controllers - [x86] Input: i8042 - add ThinkPad S230u to i8042 reset list - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() - IB/qib: Call kobject_put() when kobject_init_and_add() fails - [armhf] dts: imx: Correct B850v3 clock assignment - [armhf] dts: imx6q-bx50v3: Add internal switch - [armhf] dts/imx6q-bx50v3: Set display interface clock parents - ALSA: hwdep: fix a left shifting 1 by 31 UB bug - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC - exec: Always set cap_ambient in cap_bprm_set_creds - libceph: ignore pool overlay and cache logic on redirects - mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() - iommu: Fix reference count leak in iommu_group_alloc. - mac80211: mesh: fix discovery timer re-arming issue / crash - [x86] dma: Fix max PFN arithmetic overflow on 32 bit systems - xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input - xfrm: fix a warning in xfrm_policy_insert_list - xfrm: fix a NULL-ptr deref in xfrm_local_error - vti4: eliminated some duplicate code. - ip_vti: receive ipip packet by calling ip_tunnel_rcv - netfilter: nft_reject_bridge: enable reject with bridge vlan - netfilter: ipset: Fix subcounter update skip - netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code - qlcnic: fix missing release in qlcnic_83xx_interrupt_test. - bonding: Fix reference count leak in bond_sysfs_slave_add. - netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build - genirq/generic_pending: Do not lose pending affinity update - net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags - mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap() - [arm64] net: hns: Fixes the missing put_device in positive leg for roce reset - [s390x] scsi: zfcp: fix request object use-after-free in send path causing wrong traces https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.227 - scsi: scsi_devinfo: fixup string compare - usb: gadget: f_uac2: fix error handling in afunc_bind (again) - esp6: fix memleak on error path in esp6_input - [s390x] ftrace: save traced function caller - [x86] mmiotrace: Use cpumask_available() for cpumask_var_t variables - [armhf,arm64] net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x - [armhf,arm64] net: smsc911x: Fix runtime PM imbalance on error - pppoe: only process PADT targeted at local interfaces - HID: i2c-hid: add Schneider SCL142ALM to descriptor override - p54usb: add AirVasT USB stick device-id - mmc: fix compilation of user API - scsi: ufs: Release clock if DMA map fails - airo: Fix read overflows sending packets - devinet: fix memleak in inetdev_init() - l2tp: do not use inet_hash()/inet_unhash() - net: usb: qmi_wwan: add Telit LE910C1-EUX composition - vsock: fix timeout in vsock_accept() - l2tp: add sk_family checks to l2tp_validate_socket - USB: serial: qcserial: add DW5816e QDL support - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors - USB: serial: option: add Telit LE910C1-EUX compositions - [armhf] usb: musb: Fix runtime PM imbalance on error - vt: keyboard: avoid signed integer overflow in k_ascii (CVE-2020-13974) - tty: hvc_console, fix crashes on parallel open/close - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK - [arm64] nvmem: qfprom: remove incorrect write support - uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.228 - ipv6: fix IPV6_ADDRFORM operation logic - vxlan: Avoid infinite loop when suppressing NS messages with invalid options - scsi: return correct blkprep status code in case scsi_init_io() fails. - crypto: talitos - fix ECB and CBC algs ivsize - [armel,armhf] 8977/1: ptrace: Fix mask for thumb breakpoint hook - sched/fair: Don't NUMA balance for kthreads - ath9k_htc: Silence undersized packet warnings - [amd64] Fix jiffies ODR violation - [x86] PCI: Mark Intel C620 MROMs as having non-compliant BARs - [x86] speculation: Prevent rogue cross-process SSBD shutdown (CVE-2020-10766) - [x86] reboot/quirks: Add MacBook6,1 reboot quirk - efi/efivars: Add missing kobject_put() in sysfs entry creation error path - [i386] ALSA: es1688: Add the missed snd_card_free() - ALSA: usb-audio: Fix inconsistent card PM state after resume - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() - ACPI: GED: add support for _Exx / _Lxx handler methods - ACPI: PM: Avoid using power resources if there are none for D0 - cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() - [armhf,arm64] spi: bcm2835aux: Fix controller unregister order - ALSA: pcm: disallow linking stream to itself - [x86] speculation: Change misspelled STIPB to STIBP - [x86] speculation: Add support for STIBP always-on preferred mode - [x86] speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. (CVE-2020-10767 ) - [x86] speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches. (CVE-2020-10768) - spi: No need to assign dummy value in spi_unregister_controller() - spi: Fix controller unregister order - [armhf,arm64] spi: bcm2835: Fix controller unregister order - ovl: initialize error in ovl_copy_xattr - proc: Use new_inode not new_inode_pseudo - [x86] KVM: nSVM: leave ASID aside in copy_vmcb_control_area - [x86] KVM: nVMX: Consult only the "basic" exit reason when routing nested exit - ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx - ath9k: Fix use-after-free Write in ath9k_htc_rx_msg - ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb - mm/slub: fix a memory leak in sysfs_slab_add() - fat: don't allow to mount if the FAT length == 0 - perf: Add cond_resched() to task_function_call() - [x86] agp/intel: Reinforce the barrier after GTT updates - media: dvb_frontend: ensure that inital front end status initialized - ACPI: GED: use correct trigger type field in _Exx / _Lxx handling - objtool: Ignore empty alternatives - net: ena: fix error returning in ena_com_get_hash_function() - Bluetooth: Add SCO fallback for invalid LMP parameters error - [armhf] clocksource: dw_apb_timer_of: Fix missing clockevent timers - btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums - [armel,armhf] 8978/1: mm: make act_mm() respect THREAD_SIZE - [x86] kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit - [x86] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() - dt-bindings: display: mediatek: control dpi pins mode to avoid leakage - media: dvb: return -EREMOTEIO on i2c transfer failure. - [mips*] Make sparse_init() using top-down allocation - netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported - exit: Move preemption fixup up, move blocking operations down - [armhf] net: allwinner: Fix use correct return type for ndo_start_xmit() - [mips*] cm: Fix an invalid error code of INTVN_*_ERR - md: don't flush workqueue unconditionally in md_open - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() - mwifiex: Fix memory corruption in dump_station - [mips*] Add udelay lpj numbers adjustment - [x86] mm: Stop printing BRK addresses - macvlan: Skip loopback packets in RX handler - PCI: Don't disable decoding when mmio_always_on is set - [mips*] Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() - ixgbe: fix signed-integer-overflow warning - [armhf] mmc: sdhci-esdhc-imx: fix the mask for tuning start point - cpuidle: Fix three reference count leaks - btrfs: send: emit file capabilities after chown - mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() - ima: Fix ima digest hash table key calculation - ima: Directly assign the ima_default_policy pointer to ima_rules - ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max - ext4: fix race between ext4_sync_parent() and rename() - btrfs: fix error handling when submitting direct I/O bio - blk-mq: move blk_mq_update_nr_hw_queues synchronize_rcu call - PCI: Program MPS for RCiEP devices - e1000e: Relax condition to trigger reset for ME workaround - carl9170: remove P2P_GO support - media: go7007: fix a miss of snd_card_free - b43legacy: Fix case where channel status is corrupted - b43: Fix connection problem with WPA3 - b43_legacy: Fix connection problem with WPA3 - igb: Report speed and duplex as unknown when device is runtime suspended - [arm64] power: vexpress: add suppress_bind_attrs to true - [armhf] pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs - kernel/cpu_pm: Fix uninitted local in cpu_pm - [armhf] tegra: Correct PL310 Auxiliary Control Register initialization - kbuild: force to build vmlinux if CONFIG_MODVERSION=y - sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate registrations. - sunrpc: clean up properly in gss_mech_unregister() - [armhf] w1: omap-hdq: cleanup to add missing newline for some dev_dbg - perf probe: Do not show the skipped events - perf symbols: Fix debuginfo search for Ubuntu . [ Ben Hutchings ] * debian/README.source: Refer to upload checklist in kernel-team.git * Bump ABI to 13 * [rt] Update to 4.9.228-rt147: - Drop "x86/ioapic: Do not unmask io_apic when interrupt is in progress" - Revert "genirq: Fix reference leaks on irq affinity notifiers" * scsi: scsi_devinfo: handle non-terminated strings (regression in 4.9.227) linux (4.9.210-1+deb9u1) stretch-security; urgency=high . [ Salvatore Bonaccorso ] * selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751) * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) * USB: core: Fix free-while-in-use bug in the USB S-Glibrary (CVE-2020-12464) * scsi: sg: add sg_remove_request in sg_common_write * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) * netlabel: cope with NULL catmap (CVE-2020-10711) * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732) * kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462) * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757) . [ Ben Hutchings ] * [arm64] Enforce BBM for huge IO/VMAP mappings (CVE-2019-2182): - arm64: mm: BUG on unsupported manipulations of live kernel mappings - arm64: don't open code page table entry creation - arm64: mm: Change page table pointer name in p[md]_set_huge() - arm64: Enforce BBM for huge IO/VMAP mappings - arm64: Make sure permission updates happen for pmd/pud * cfg80211/mac80211: make ieee80211_send_layer2_update a public function * mac80211: Do not send Layer 2 Update frame before authorization (CVE-2019-5108) * ext4: Fix various bugs: - ext4: Make checks for metadata_csum feature safer - ext4: avoid declaring fs inconsistent due to invalid file handles - ext4: protect journal inode's blocks using block_validity (CVE-2019-19319) - ext4: unsigned int compared against zero - ext4: fix block validity checks for journal inodes using indirect blocks - ext4: don't perform block validity checks on the journal inode - ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992) * blktrace: Fix various locking issues: - blktrace: Fix potential deadlock between delete & sysfs ops - blktrace: fix unlocked access to init/start-stop/teardown - blktrace: fix trace mutex deadlock - blktrace: Protect q->blk_trace with RCU (CVE-2019-19768) - blktrace: fix dereference after null check * media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame (CVE-2019-20806) * [x86] KVM: nVMX: Fix incorrect instruction emulation (CVE-2020-2732): - KVM: x86: emulate RDPID - KVM: nVMX: Don't emulate instructions in guest mode - KVM: nVMX: Refactor IO bitmap checks into helper function - KVM: nVMX: Check IO instruction VM-exit conditions * vfs: do_last(): fetch directory ->i_mode and ->i_uid before it's too late (CVE-2020-8428) * vfs: fix do_last() regression * vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649) * locking/atomic, kref: Add kref_read() * vt: Fix various bugs: - vt: selection, handle pending signals in paste_selection - VT_RESIZEX: get rid of field-by-field copyin - vt: vt_ioctl: fix race in VT_RESIZEX - vt: selection, close sel_buffer race (CVE-2020-8648) - vt: selection, push console lock down - vt: selection, push sel_lock up - vt: selection, introduce vc_is_sel - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines - vt: switch vt_dont_switch to bool - vt: vt_ioctl: remove unnecessary console allocation checks - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual - vt: vt_ioctl: fix use-after-free in vt_in_use() * floppy: check FDC index for errors before assigning it (CVE-2020-9383) * vhost: Check docket sk_family instead of call getname (CVE-2020-10942) * slip, slcan: Fix various bugs: - can, slip: Protect tty->disc_data in write_wakeup and close - slcan: not call free_netdev before rtnl_unlock in slcan_open - slcan: Fix double-free on slcan_open() error path - slcan: Don't transmit uninitialized stack data in padding (CVE-2020-11494) - slip: stop double free sl->dev in slip_open - slip: not call free_netdev before rtnl_unlock in slip_open - slip: make slhc_compress() more robust against malicious * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED (CVE-2020-11565) * media: usb: Fix several descriptor checks: - media: ov519: add missing endpoint sanity checks (CVE-2020-11608) - media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609) - media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668) * scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652) * mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (CVE-2020-12653) * mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (CVE-2020-12654) * macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (Closes: #952660) * block: Avoid ABI change for blktrace locking * net-sysfs: Fix reference counting bugs: - net: don't decrement kobj reference count on init failure - net-sysfs: call dev_hold if kobject_init_and_add success (CVE-2019-20811) - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject - net-sysfs: fix netdev_queue_add_kobject() breakage - net-sysfs: Call dev_hold always in netdev_queue_add_kobject - net-sysfs: Call dev_hold always in rx_queue_add_kobject * propagate_one(): mnt_set_mountpoint() needs mount_lock * [x86] Add support for mitigation of Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543): - x86/cpu: Add 'table' argument to cpu_matches() - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation - x86/speculation: Add SRBDS vulnerability and mitigation documentation - x86/speculation: Add Ivy Bridge to affected list * [x86] speculation: Do not match steppings, to avoid an ABI change * random: always use batched entropy for get_random_u{32,64} * [rt] Refresh "random: avoid preempt_disable()ed section" linux-latest (80+deb9u11) stretch; urgency=medium . * Update to 4.9.0-13 mailman (1:2.1.23-1+deb9u5) stretch-security; urgency=high . * Upload to strech for security issue. * Fix stored cross site scripting in attachment extensions. mariadb-10.1 (10.1.45-0+deb9u1) stretch; urgency=high . * SECURITY UPDATE: New upstream version 10.1.45. Includes fixes for the following security vulnerabilities: - CVE-2020-2752 - CVE-2020-2812 - CVE-2020-2814 megatools (1.9.98-1+deb9u1) stretch; urgency=medium . * debian/patches/support-new-links.patch: - Add support for the new format of mega.nz links. mod-gnutls (0.8.2-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Backported patches to fix test failures with the apache CVE-2019-10092 fix. (Closes: #950300) mod-gnutls (0.8.2-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Avoid deprecated ciphersuites in test suite (Closes: #907008) mutt (1.7.2-1+deb9u3) stretch-security; urgency=high . * debian/patches: + added security/CVE-not-yet-released.patch to fix a possible MITM response injection attack when using STARTTLS with IMAP, POP3 and SMTP. mutt (1.7.2-1+deb9u2) stretch-security; urgency=high . * debian/patches: + added security/CVE-2020-14093.patch to fix the relevant CVE related to IMAP MITM attack via a PREAUTH response mysql-connector-java (5.1.49-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * New upstream release version 5.1.49 which fixes CVE-2020-2875, CVE-2020-2933, CVE-2020-2934. * Refresh patches. * Lock debian/watch to 5.x branch. mysql-connector-java (5.1.45-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 * Use a secure URL in debian/watch mysql-connector-java (5.1.44-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.1 neon27 (0.30.2-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Run OpenSSL checks but don't fail on them, to workaround build failures due to OpenSSL changes. netqmail (1.06-6.2~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security . netqmail (1.06-6.2) unstable; urgency=high . * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and CVE-2020-3812 (Closes: #961060) . netqmail (1.06-6.1) unstable; urgency=medium . * Non-maintainer upload. * [fdc8794a] Setup Gitlab continous integration * [73e52807] Fix quotation in postinst (Closes: #866038) * [2fc47776] Make package piupart-clean (Closes: #672155) netqmail (1.06-6.1) unstable; urgency=medium . * Non-maintainer upload. * [fdc8794a] Setup Gitlab continous integration * [73e52807] Fix quotation in postinst (Closes: #866038) * [2fc47776] Make package piupart-clean (Closes: #672155) network-manager-ssh (1.2.1-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Privilege escalation because extra options are mishandled (CVE-2020-9355) nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium . * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository nginx (1.10.3-1+deb9u4) stretch; urgency=medium . * Handle CVE-2019-20372, error page request smuggling (Closes: #948579) node-url-parse (1.0.5-2+deb9u1) stretch; urgency=medium . * Add patch to sanitize paths and hosts before parsing (Closes: #906058, CVE-2018-3774) * Enable upstream test. This embeds some little modules for test only: ansi-codes, assume, failing-code, failing-line, fn.name, format-text, is-node, left-pad, pathval, prettify-error and style-format nvidia-graphics-drivers (390.138-1) stretch; urgency=medium . * New upstream legacy branch release 390.138 (2020-06-24). * Fixed CVE-2020-5963, CVE-2020-5967. (Closes: #963766) https://nvidia.custhelp.com/app/answers/detail/a_id/5031 - Fixed a driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "implicit declaration of function 'timespec_to_ns'". - Fixed a driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "implicit declaration of function 'getrawmonotonic'". - Fixed a driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "implicit declaration of function 'getnstimeofday'". - Fixed a driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "dereferencing pointer to incomplete type 'struct timeval'". - Fixed a driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "implicit declaration of function 'jiffies_to_timespec'". - Fixed driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "passing argument 4 of 'proc_create_data' from incompatible pointer type". - Fixed driver installation failure on Linux kernel 5.6 release candidates, where the NVIDIA kernel module failed to build with error "implicit declaration of function 'ioremap_nocache'". (Closes: #956458) - Fixed driver installation failure on Oracle Linux 7.7 systems, where the NVIDIA kernel module failed to build with error "unknown type name 'vm_fault_t'". - Add PRIME Synchronization support for Linux kernel 5.4 and newer. . [ Andreas Beckmann ] * Fix #includes in conftest.sh to fix kernel module build for Linux 5.7, thanks to Jiri Palecek. (Closes: #960735) * Refresh patches. * Update lintian overrides. nvidia-graphics-drivers (390.132-1) stretch; urgency=medium . * New upstream legacy branch release 390.132 (2019-11-08). - Fixed kernel module build problems with Linux kernel 5.4.0 release candidates. - Updated nvidia-bug-report.sh to collect information about X server crashes from coredumpctl, when available. . [ Andreas Beckmann ] * Refresh patches. * debian/gen-control.pl: Support substitutions in the Architecture field and skip packages with empty or commented Architecture field (430.50-2). * Create and commit tarball symlinks for legacy branches (430.64-1). * Allow alternative libnvidia-{tesla,legacy-*}-ml1 packages to substitute libnvidia-ml1 (430.64-2). - Add Provides: libnvidia-ml.so.1 (= ${nvidia:Version}). - Generate alternative versioned dependency on libnvidia-ml.so.1 through the symbols file. * Allow alternative libnvidia-{tesla,legacy-*}-cuda1 packages to substitute libcuda1 in third-party packages (430.64-3). - Add Provides: libcuda.so.1 (= ${nvidia:Version}). - Generate alternative versioned dependency on libcuda.so.1 through the symbols file. * Use substitution to keep Standards-Version in sync (430.64-5). * Insert '-' between suffix ending with digit and SOVERSION (435.21-3). * Rename "legacy" variables to more generic "variant" (440.44-2). * bug-control: Report information about more (virtual) packages (440.64-2). * Bump Standards-Version to 4.5.0. No changes needed. * Update lintian overrides. * *.symbols: List libraries from src:libglvnd (not in stretch) as second (instead of preferred) alternative dependencies. * Upload to stretch. . [ Luca Boccassi ] * Import drmP.patch from Fedora to fix kernel module build failure for Linux 5.5 and newer. (Closes: #951091) openjdk-8 (8u252-b09-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security openjdk-8 (8u252-b07-1) unstable; urgency=medium . * Update to 8u252-b07 (early access build). * Update ARM32 and AArch64 hotspot to 8u252-b06. * Build using GCC 9 in recent releases. openjdk-8 (8u242-b08-1) unstable; urgency=medium . * Team upload. * Merge changes from 8u242-b08-0ubuntu3 back into Debian * Fix nocheck profile (no profile support) for wheezy * Version !nocheck default-jre-headless build dependency to ensure at least Java 8 there as well; avoids needing to install two JREs when building in pre-{stretch,xenial} * Update aarch64 to GA jdk8u242-b08, aarch32 to jdk8u242-ga * Bump Policy . openjdk-8 (8u242-b08-0ubuntu3) focal; urgency=medium . * Sync packages with 8u242-b08: * OpenJDK 8u242-b08 build (release). - S8226352, CVE-2020-2590: Improve Kerberos interop capabilities - S8228548, CVE-2020-2593: Normalize normalization for all - S8224909, CVE-2020-2583: Unlink Set of LinkedHashSets - S8229951, CVE-2020-2601: Better Ticket Granting Services - S8231422, CVE-2020-2604: Better serial filter handling - S8231795, CVE-2020-2659: Enhance datagram socket support - S8234037, CVE-2020-2654: Improve Object Identifier Processing - S8037550: Update RFC references in javadoc to RFC 5280 - S8039438: Some tests depend on internal API sun.misc.IOUtils - S8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes - S8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace - S8080835: Add blocking bulk read to sun.misc.IOUtils - S8138978: Examine usages of sun.misc.IOUtils - S8139206: Add InputStream readNBytes(int len) - S8183591: Incorrect behavior when reading DER value with Integer.MAX_VALUE length - S8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime - S8186831: Kerberos ignores PA-DATA with a non-null s2kparams - S8186884: Test native KDC, Java krb5 lib, and native krb5 lib in one test - S8193832: Performance of InputStream.readAllBytes() could be improved - S8196956: (ch) More channels cleanup - S8201627: Kerberos sequence number issues - S8215032: Support Kerberos cross-realm referrals (RFC 6806) - S8225261: Better method resolutions - S8225279: Better XRender interpolation - S8226719: Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message" - S8227061: KDC.java test behaves incorrectly when AS-REQ contains a PAData not PA-ENC-TS-ENC - S8227381: GSS login fails with PREAUTH_FAILED - S8227437: S4U2proxy cannot continue because server's TGT cannot be found - S8227758: More valid PKIX processing - S8227816: More Colorful ICC profiles - S8230279: Improve Pack200 file reading - S8230318: Better trust store usage - S8230967: Improve Registry support of clients - S8231129: More glyph images - S8231139: Improved keystore support - S8232381: add result NULL-checking to freetypeScaler.c - S8232419: Improve Registry registration - S8233944: Make KerberosPrincipal.KRB_NT_ENTERPRISE field package private - S8235909: File.exists throws AccessControlException for invalid paths when a SecurityManager is installed - S8236983: [TESTBUG] Remove pointless catch block in test/jdk/sun/security/util/DerValue/BadValue.java - S8236984: Add compatibility wrapper for IOUtils.readFully * Use the hotspot arch list to select between hotspot and zero as the default VM for autopkgtests. This fixes s390x (zero based) autopkgtest support. openjdk-8 (8u242-b08-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security openjdk-8 (8u242-b04-1) unstable; urgency=medium . * Update to 8u242-b04 (early access build). openjdk-8 (8u232-b09-1) unstable; urgency=high . * Update to 8u222-b09 (release build). * Security fixes: - S8167646: Better invalid FilePermission. - S8213429, CVE-2019-2933: Windows file handling redux. - S8218573, CVE-2019-2945: Better socket support. - S8218877: Help transform transformers. - S8220186: Improve use of font temporary files. - S8220302, CVE-2019-2949: Better Kerberos ccache handling. - S8221497: Optional Panes in Swing. - S8221858, CVE-2019-2958: Build Better Processes. - S8222684, CVE-2019-2964: Better support for patterns. - S8222690, CVE-2019-2962: Better Glyph Images. - S8223163: Better pattern recognition. - S8223505, CVE-2019-2973: Better pattern compilation. - S8223518, CVE-2019-2975: Unexpected exception in jjs. - S8223892, CVE-2019-2978: Improved handling of jar files. - S8224025: Fix for JDK-8220302 is not complete. - S8224532, CVE-2019-2981: Better Path supports. - S8224915, CVE-2019-2983: Better serial attributes. - S8225286, CVE-2019-2987: Better rendering of native glyphs. - S8225292, CVE-2019-2988: Better Graphics2D drawing. - S8225298, CVE-2019-2989: Improve TLS connection support. - S8225597, CVE-2019-2992: Enhance font glyph mapping. - S8226765, CVE-2019-2999: Commentary on Javadoc comments. - S8227129: Better ligature for subtables. - S8227601: Better collection of references. - S8228825, CVE-2019-2894: Enhance ECDSA operations. openjfx (8u141-b14-3~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security openjfx (8u141-b14-2) unstable; urgency=medium . * Team upload. * Reverted the patch disabling the sampling profiler to its initial state openjfx (8u141-b14-1) unstable; urgency=medium . * Team upload. * New upstream release: - Fixes CVE-2017-10086 and CVE-2017-10114 (Closes: #870860) * Fixed the build failure with GCC 7 (Closes: #853593) * Use the gold linker with memory saving options to avoid build failures caused by lack of RAM (Closes: #857464) * Fixed a build failure on powerpc caused by a different ucontext_t definition * Backported a fix for accented characters in textfields (Closes: #872619) * libopenjfx-java now suggests installing openjfx (Closes: #849419) * Added lintian overrides to remove the warnings related to the js files * Disabled the buildSrc tests to work around a Gradle bug * Standards-Version updated to 4.1.1 openjfx (8u131-b11-2) unstable; urgency=medium . * Team upload. * Make a Release instead of a Debug build * Disabled the sampling profiler in WebKit (fails to build on arm64) * Disabled assembler in WebKit on mips openjfx (8u131-b11-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches openjfx (8u121-b13-2) unstable; urgency=medium . * Team upload. * Removed the -m32 flags * Removed the -msse2 flag on non Intel architectures openjfx (8u121-b13-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches - New build dependency on cmake - Copy libicui18n.so, libicuuc.so, libicudata.so and libsqlite3.so in the modules/web/build/linux/import/lib directory to build JavaScriptCore - Backported a fix for an ambiguous call to the pow() function in BoxShape - Install the javapackager script and its man page * Switch to debhelper level 10 * Disabled parallel building to avoid build failures openldap (2.4.44+dfsg-5+deb9u4) stretch-security; urgency=high . * Fix slapd to limit depth of nested expressions in search filters (ITS#9202) opensmtpd (6.0.2p1-2+deb9u3) stretch-security; urgency=high . * Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. OpenBSD 6.6 errata 021: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig pcl (1.8.0+dfsg1-4+deb9u1) stretch; urgency=medium . * Add dependency to libvtk6-qt-dev (Closes: #894656) pcl (1.8.0+dfsg1-4) experimental; urgency=medium . * Add patch for arm build failures. Thanks to Gianfranco Costamagna * Enable QT on arm again perl (5.24.1-3+deb9u7) stretch; urgency=medium . * Multiple regexp security fixes (Closes: #962005) + [SECURITY] CVE-2020-10543: Buffer overflow caused by a crafted regular expression + [SECURITY] CVE-2020-10878: Integer overflow via malformed bytecode produced by a crafted regular expression + [SECURITY] CVE-2020-12723: Buffer overflow caused by a crafted regular expression * Fix FTBFS with IPv6-only host (Closes: #962019) php-horde (5.2.13+debian0-1+deb9u2) stretch; urgency=medium . * CVE-2020-8035: Don't allow to view images inline if opened directly. * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase. php-horde-data (2.1.4-3+deb9u1) stretch; urgency=high . * Fix CVE-2020-8518: The Horde Application Framework contained a remote code execution vulnerability. An authenticated remote attacker could use this flaw to cause execution of uploaded CSV data. (Closes: #951537) php-horde-form (2.0.15-1+deb9u2) stretch; urgency=high . * Fix CVE-2020-8866: The Horde Application Framework contained a remote code execution vulnerability. An authenticated remote attacker could use this flaw to upload arbitrary content to an arbitrary writable location on the server and potentially execute code in the context of the web server user. (Closes: #955020) php-horde-gollem (3.0.10-1+deb9u1) stretch; urgency=medium . * debian/patches: + Add CVE-2020-8034.patch. Fix XSS vulnerability in breadcrumb output (Reported by: polict of Shielder). (Closes: #961649, CVE-2020-8034). php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high . * Fix CVE-2020-8865: The Horde Application Framework contained a directory traversal vulnerability resulting from insufficient input sanitization. An authenticated remote attacker could use this flaw to execute code in the context of the web server user. (Closes: #955019) php7.0 (7.0.33-0+deb9u8) stretch-security; urgency=high . * Backported from 7.2.28 - DOM: . Fixed bug #77569: (Write Access Violation in DomImplementation). - Phar: . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063) - Session: . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062) * Backported from 7.2.29 - Core: . Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066) - EXIF: . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) * Backported from 7.2.30 - Standard: . Fixed bug #79330 (shell_exec silently truncates after a null byte). . Fixed bug #79465 (OOB Read in urldecode). (CVE-2020-7067) * Backported from 7.2.31 - Core: . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048) . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048) * Add upstream patch to fix bug #76895 php7.0 (7.0.33-0+deb9u7) stretch-security; urgency=medium . * Use mysqld --initialize-insecure for MySQL 8.0 (for Ubuntu 19.10) * Disable MySQL X Plugin in the tests * Remove --skip-grant-tables to fix FTBFS with MySQL 8.0 * Remove --without-mysqlx from MySQL 5.7 * Backported from 7.2.27 - Mbstring: . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060) - Standard: . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). * Backported from 7.2.26 - Bcmath: . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046). - Core: . Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044). . Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045). - EXIF: . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050). . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047). phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=high . * Team upload * Several security fixes - Cross-site scripting (XSS) vulnerability in db_central_columns.php (PMASA-2018-1, CVE-2018-7260, Closes: #893539) - Remove transformation plugin includes (PMASA-2018-6, CVE-2018-19968) - Fix Stored Cross-Site Scripting (XSS) in navigation tree (PMASA-2018-8, CVE-2018-19970) - Fix information leak (arbitrary file read) using SQL queries (PMASA-2019-1, CVE-2019-6799, Closes: #920823) - a specially crafted username can be used to trigger a SQL injection attack (PMASA-2019-2, CVE-2019-6798, Closes: #920822) - SQL injection in Designer feature (PMASA-2019-3, CVE-2019-11768, Closes: #930048) - CSRF vulnerability in login form (PMASA-2019-4, CVE-2019-12616, Closes: #930017) - SQL injection, escape username in the query (PMASA-2020-1, CVE-2020-5504, Closes: #948718) - Add a patch to escape some parameters when changing passwords (PMASA-2020-2, CVE-2020-10804, Closes: #954667) - Add a patch to escape database and table name (PMASA-2020-3, CVE-2020-10802, Closes: #954665) - Add a patch to secure sql_query parameter (PMASA-2020-4, CVE-2020-10803, Closes: #954666) pillow (4.0.0-4+deb9u1) stretch-security; urgency=medium . * CVE-2019-19911 CVE-2020-5312 CVE-2020-5313 postfix (3.1.15-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Check GPG signature when downloading new versions via uscan . [Wietse Venema] . * 3.1.15 - Bugfix (introduced: Postfix 2.8): don't gratuitously enable all after-220 tests when only one such test is enabled. This made selective tests impossible with 'good' clients. File: postscreen/postscreen_smtpd.c. - Bugfix (introduced: Postfix 3.1): support for smtp_dns_resolver_options was broken while adding support for negative DNS response caching in postscreen. Postfix was inadvertently changed to call res_query() instead of res_search(). Reported by Jaroslav Skarvada. File: dns/dns_lookup.c. - Bugfix (introduced: Postfix 3.0): sanitize server responses before storing them in the verify database, to avoid Postfix warnings about malformed UTF8. File: verify/verify.c. - Bugfix (introduced: Postfix 2.5): the Milter connect event macros were evaluated before the Milter connection itself had been negotiated. Problem reported by David Bürgin. Files: milter/milter.h, milter/milter.c, milter/milter8.c postgresql-9.6 (9.6.17-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. . Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720) ppp (2.4.7-1+4+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * pppd: Fix bounds check in EAP code (CVE-2020-8597) (Closes: #950618) proftpd-dfsg (1.3.5b-4+deb9u5) stretch; urgency=medium . * Add patch from upstream to solve bug4385. (Closes: #949622). * Disable call to /usr/share/debconf/confmodule. Causes hangs during postinst and it is unsure why we have it at all. (Closes: #870624) proftpd-dfsg (1.3.5b-4+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Ensure that we do not reuse already-destroyed memory pools during data transfers (CVE-2020-9273) (Closes: #951800) * Clear the data-transfer instigating command pool but keep a memory pool. Fixes regression in the %{transfer-status} LogFormat functionality. python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high . * CVE-2020-13254: Potential a data leakage via malformed memcached keys. . In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. . * CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. . Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. python-django (1:1.10.7-2+deb9u8) stretch-security; urgency=high . * CVE-2020-7471: Prevent a Potential SQL injection via StringAgg(delimiter). (Closes: #950581) . Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. python-icalendar (3.8-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix the python3-icalendar dependencies. (Closes: #867436) python-pysaml2 (3.0.0-5+deb9u1) stretch-security; urgency=medium . * CVE-2020-5390 python-reportlab (3.3.0-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address remote code execution in colors.py (CVE-2019-17626) (Closes: #942763) qbittorrent (3.3.7-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent command injection via "Run external program" function (CVE-2019-13640) (Closes: #932539) qemu (1:2.8+dfsg-6+deb9u9) stretch-security; urgency=medium . * slirp possible use-after-free in ip_reass(), slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch Closes: #939869, CVE-2019-15890 * slirp emulation fixes, Closes: CVE-2020-7039 tcp_emu-fix-OOB-access-CVE-2020-7039.patch slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch qtbase-opensource-src (5.7.1+dfsg-3+deb9u2) stretch-security; urgency=high . * Backport fix for CVE-2020-0569: Do not load plugin from the CWD. rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high . * Team upload. * Add patch to fix possible XSS vector in JS escape helper. (Fixes: CVE-2020-5267) (Closes: #954304) rake (10.5.0-2+deb9u1) stretch; urgency=high . * Team upload * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high . * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (Closes: #964355) roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high . * Backport security fixes from 1.3.12: - CVE-2020-13964: Cross-Site Scripting (XSS) vulnerability in template object 'username' (closes: #962124) - CVE-2020-13965: Cross-Site Scripting (XSS) vulnerability via malicious XML messages (closes: #962123) roundcube (1.2.3+dfsg.1-4+deb9u4) stretch-security; urgency=high . * Backport security fixes from 1.2.10: - CVE-2020-12625: Cross-Site Scripting (XSS) vulnerability via malicious HTML messages (closes: #959140) - CVE-2020-12626: CSRF attack can cause an authenticated user to be logged out (closes: #959142) ruby-json (2.0.1+dfsg-3+deb9u1) stretch; urgency=high . * Add patch to fix unsafe object creation vulnerability. (Fixes: CVE-2020-10663 ruby2.3 (2.3.3-1+deb9u8) stretch; urgency=high . * Non-maintainer upload. * Add patch to fix unsafe object creation vulnerability. (Fixes: CVE-2020-10663) salt (2016.11.2+ds-1+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply missing fixes as part of the CVE-2020-11651 and CVE-2020-11652 salt (2016.11.2+ds-1+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address CVE-2020-11651 and CVE-2020-11652 (Closes: #959684) Thanks to Daniel Wozniak * Add note about log messages to hardening salt docs * salt-api NET API with the ssh client enabled is vulnerable to command injection (CVE-2019-17361) (Closes: #949222) sendmail (8.15.2-8+deb9u1) stretch; urgency=medium . * QA upload. * rmail: Add exim4 to the list of conflicting MTAs. (Closes: #863567) * Skip hook execution if /usr/share/sendmail/dynamic does not exist. (Closes: #873978) * debian/examples/network/if-post-down.d/sendmail: Generate during build. * connect-from-null.patch: New, fix "NOQUEUE: connect from (null)", thanks to Michael Grant and Claus Assmann. * Fix finding the queue runner control process in "split daemon" mode, thanks to Marc Andre Selig. (Closes: #887064) * Fix prerm failure on btrfs. (Closes: #893424) * Switch Vcs-* URLs to salsa.debian.org. * Fix typos in descriptions. (Closes: #894535) * sendmail-bin.prerm: Stop sendmail before removing the alternatives. sogo-connector (68.0.1-2~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. - Lower dh compat to 10. sogo-connector (68.0.1-1) unstable; urgency=medium . * [0e43d2d] d/control: move Maintainer to Debian Mozilla Extension Maintainers sogo-connector (68.0.1-1~exp1) unstable; urgency=medium . * [74a8e5f] New upstream version 68.0.1 * [5c78ff2] d/control: add new package webext-sogo-connector - The source of the package is now web-extension based only, no old transitional xul stuff is included. So make this visible by moving the main binary package over to webext-* syntax. * [b292c29] d/control: remove B-D on make and mozilla-devscripts - Drop Build-Depends on make and mozilla-devscripts, they are not needed any more. * [1dadf9c] d/control: adding Rules-Requires-Root: no * [1d3e119] d/rules: updating build targets - Clean up all non needed xul-* helpers, makes the mostly needed target reduced to the quite the minimum. * [ec0863d] webext-sogo-connector adding install sequencer file * [366a931] webext-sogo-connector: adding linking sequencer file * [1c7252f] webext-sogo-connector: adding docs sequencer file * [48e8b6a] d/xul-ext-sogo-connector.lintian-overrides: drop file - xul-ext-sogo-connector is now a transitional package, we don't need this lintian file any more. sogo-connector (68.0.0-1) unstable; urgency=medium . * [63605f6] New upstream version 68.0.0 (Closes: #945061) * [f021239] d/control: bump Standards-Version to 4.4.1 * [cece803] d/control: drop B-D on python-ply (Closes: #939479) * [86ab883] rebuild patch queue from patch-queue branch - removed patches: removing-the-COPYING-file.patch sogo-connector.xpt-prepare-option-for-rebuild-the-.x.patch * [00917e3] remove now obsolete *.idl files - The package build isn't depending on some old files from the non existing package thunderbird-dev any more. The build doesn't uses *.idl files now. * [4b96f9a] d/copyright: update date information * [3efbfa0] d/watch: switch over to git mode * [324d0b8] d/rules: rewrite targets due modified source for TB 68 - Rewrite the control of the package build. There is no local run of some Make targets needed any more. sogo-connector (60.0.2-1) unstable; urgency=medium . * [747546e] New upstream version 60.0.2 sogo-connector (60.0.1-1) unstable; urgency=medium . * [37adbb6] New upstream version 60.0.1 * [fcd4f5d] d/control: bump Standards-Version to 4.3.0 - No further changes needed. * [0c71fd4] debhelper: use debhelper-compat in B-D - Move over to use debhelper-compat (with version 12) instead of using a specific debhelper version together with a possible different version for compatibility in d/compat. sogo-connector (60.0.0+gite2547a3-1) unstable; urgency=medium . * [8785a7e] New upstream version 31.0.6 * [4498ec4] add files from package thunderbird-devel - To get the upstream source build we need some files from the now no longer available package thunderbird-dev. Extracting these files from latest available version on snapshot.d.o and place the files with the debian/ folder. * [014690f] rebuild patch queue from patch-queue branch - modified patch: sogo-connector.xpt-prepare-option-for-rebuild-the-.x.patch By the now different source folders for the required files from the old package thunderbird-dev we also need to modify the Makefile within the folder components/ so this file is referencing the new source folder for to get the AddOn build. * [a787dfb] New upstream version 60.0.0+gite2547a3 - Closes: #909313, #890513, #858734 * [e3da533] d/control: remove B-D on thunderbird-dev - Removing the no longer available package from the Build-Depends. * [99365db] debian/control: bump Standards-Version to 4.2.1 - No further changes needed. * [ca0be35] d/control: adjust Vcs fields to Salsa - Packaging tree is now moved over to Salsa. * [e4632ef] d/watch: use https instead of http * [b31b662] d/control: adjust upstream Homepage - Change the referencing Upstream URL to the new created GitHub site on https://github.com/inverse-inc/sogo-connector * [d02948f] d/watch: use new github sub site for the watch file - And also use this URL within the watch file. * [cb51d79] rebuild patch queue from patch-queue branch * [f380573] d/rules: tweak the installation of some files - Remove unneeded Makefile from the package and move the README file into /usr/share/doc/xul-ext-sogo-connector ssvnc (1.0.29-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload by the LTS team. * Porting of libvncclient security patches (Closes: #945827): - CVE-2018-20020: heap out-of-bound write vulnerability inside structure in VNC client code. - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. - CVE-2018-20024: null pointer dereference that can result DoS. storebackup (3.2.1-2~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . storebackup (3.2.1-2) unstable; urgency=medium . * QA upload. * Set maintainer to Debian QA Group. (see #856299) * Add patch to change the way the lockfile is opened in the Perl code. (Fixes: CVE-2020-7040) (Closes: #949393) swt-gtk (3.8.2-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * libswt-webkit-gtk-3-jni: Add the missing dependency on libwebkitgtk-1.0-0. (Closes: #879170) thunderbird (1:68.10.0-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security thunderbird (1:68.9.0-1) unstable; urgency=medium . [ intrigeri ] * [fd13825] AppArmor: update profile from upstream at commit 860d2d9 (Closes: #960465) . [ Carsten Schoenert ] * [c310c40] New upstream version 68.9.0 Fixed CVE issues in upstream version 68.9.0 (MFSA 2020-22): CVE-2020-12399: Timing attack on DSA signatures in NSS library CVE-2020-12405: Use-after-free in SharedWorkerService CVE-2020-12406: JavaScript Type confusion with NativeTypes CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0 CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leakage thunderbird (1:68.9.0-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security (Closes: #960465) thunderbird (1:68.9.0-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security (Closes: #960465) thunderbird (1:68.8.1-1) unstable; urgency=medium . * [7495e7a] New upstream version 68.8.1 thunderbird (1:68.8.0-1) unstable; urgency=medium . * [9b5ae46] New upstream version 68.8.0 Fixed CVE issues in upstream version 68.8.0 (MFSA 2020-18): CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters CVE-2020-12387: Use-after-free during worker shutdown CVE-2020-6831: Buffer overflow in SCTP chunk input validation CVE-2020-12392: Arbitrary local file access with 'Copy as cURL' CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0 thunderbird (1:68.8.0-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security thunderbird (1:68.8.0-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security thunderbird (1:68.7.0-1) unstable; urgency=medium . * [c0052af] New upstream version 68.7.0 Fixed CVE issues in upstream version 68.7.0 (MFSA 2020-14): CVE-2020-6819: Use-after-free while running the nsDocShell destructor CVE-2020-6820: Use-after-free when handling a ReadableStream CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images CVE-2020-6825: Memory safety bugs fixed in Thunderbird 68.7 thunderbird (1:68.7.0-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security thunderbird (1:68.7.0-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security thunderbird (1:68.6.0-1) unstable; urgency=medium . * [5709774] New upstream version 68.6.0 Fixed CVE issues in upstream version 68.6.0 (MFSA 2020-10): CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init CVE-2020-6805: Use-after-free when removing data about origins CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion CVE-2020-6807: Use-after-free in cubeb during stream destruction CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6 thunderbird (1:68.6.0-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security thunderbird (1:68.6.0-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security thunderbird (1:68.5.0-1) unstable; urgency=medium . * [d79bf82] New upstream version 68.5.0 Fixed CVE issues in upstream version 68.5.0 (MFSA 2020-07): CVE-2020-6793: Out-of-bounds read when processing certain email messages CVE-2020-6794: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords CVE-2020-6795: Crash processing S/MIME messages with multiple signatures CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection CVE-2020-6792: Message ID calculcation was based on uninitialized data CVE-2020-6800: Memory safety bugs fixed in Thunderbird 68.5 (Closes: #891848) * [0884df6] d/control: increase Standards-Version to 4.5.0 No further changes needed. thunderbird (1:68.5.0-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security (Closes: #891848) thunderbird (1:68.5.0-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security (Closes: #891848) thunderbird (1:68.4.2-1) unstable; urgency=medium . * [7ab7786] d/gbp.conf: add some more files we need to filter out * [9c02c34] New upstream version 68.4.2 thunderbird (1:68.4.1-1) unstable; urgency=medium . * [a00f3e9] New upstream version 68.4.1 Fixed CVE issues in upstream version 68.4.1 (MFSA 2020-04): CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting CVE-2019-17017: Type Confusion in XPCVariant.cpp CVE-2019-17022: CSS sanitization does not escape HTML tags CVE-2019-17024: Memory safety bugs fixed in Thunderbird 68.4.1 * [6b1fd82] rebuild patch queue from patch-queue branch removed patch (included upstream) fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch thunderbird (1:68.4.1-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security tiff (4.0.8-2+deb9u5) stretch-security; urgency=high . * Backport security fixes: - CVE-2018-12900, heap-based buffer overflow in cpSeparateBufToContigBuf(), - CVE-2018-17000, NULL pointer dereference in _TIFFmemcmp(), - CVE-2018-17100, int32 overflow in multiply_ms(), - CVE-2018-19210, NULL pointer dereference in TIFFWriteDirectorySec(), - CVE-2019-14973, _TIFFCheckMalloc() and _TIFFCheckRealloc() mishandle Integer Overflow checks, - CVE-2019-17546, integer overflow that potentially causes a heap-based buffer overflow, - CVE-2019-7663, Invalid Address dereference in TIFFWriteDirectoryTagTransfer() . * Add required _TIFFCastUInt64ToSSize@LIBTIFF_4.0 and _TIFFMultiplySSize@LIBTIFF_4.0 symbols to the libtiff5 package. tinyproxy (1.8.4-3~deb9u2) stretch; urgency=medium . * debian/patches: + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch. CVE-2017-11747: Create PID file before dropping privileges to non-root account. (Closes: #870307). * debian/tinyproxy.init: + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes: #948283). tomcat8 (8.5.54-0+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2019-17569: HTTP Request Smuggling The refactoring in 8.5.48 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1935: HTTP Request Smuggling The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1938: AJP Request Injection and potential Remote Code Execution When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to Tomcat 8.5.51, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. . Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. tzdata (2020a-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following future timestamps: - Morocco springs forward on 2020-05-31, not 2020-05-24. - Canada's Yukon advanced to -07 year-round on 2020-03-08. tzdata (2019c-3) unstable; urgency=medium . * Build the timezone data from tzdata.zi. * Install leapseconds file /usr/share/zoneinfo. * Bump Standards-Version to 4.4.1 (no changes). tzdata (2019c-2) unstable; urgency=medium . [ Paul Eggert ] * Install tzdata.zi file in /usr/share/zoneinfo. Closes: #940852. . [ Aurelien Jarno ] * Use tzdata.zi to change hardlinks into symlinks. * Bump debhelper compatibility to 12. * Bump Standards-Version to 4.4.0 (no changes). * Drop Replaces on libc6, it is not needed anymore since Lenny. * Depends on gawk and use it instead of mawk which crashes with a memory corruption. tzdata (2019c-1) unstable; urgency=medium . * New upstream version, affecting the following future timestamps: - Fiji's next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk Island will observe Australian-style DST starting in spring 2019. The first transition is on 2019-10-06. * Update French debconf translation, by Baptiste Jammet. Closes: #935153. * debian/rules: drop obsolete -y zic option. tzdata (2019c-0+deb10u1) buster; urgency=medium . * New upstream version, affecting the following future timestamps: - Fiji's next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk Island will observe Australian-style DST starting in spring 2019. The first transition is on 2019-10-06. vlc (3.0.11-0+deb9u1) stretch-security; urgency=high . * New upstream release - Fix heap-based buffer overflow in hxxx_nal (CVE-2020-13428) * debian/patches: Drop patches integrated upstream vlc (3.0.10-2) unstable; urgency=medium . * debian/: - Bump debhleper compat to 13 - Disable srt until the package is fixed - Build omxil plugin only on Raspbian (Closes: #957915) vlc (3.0.10-1) unstable; urgency=medium . * New upstream release vlc (3.0.10-0+deb10u1) buster-security; urgency=medium . * New upstream release * debian/: Disable microdns plugin due to microdns security issues (CVE-2020-6071, CVE-2020-6072, CVE-2020-6073, CVE-2020-6077, CVE-2020-6078, CVE-2020-6079, CVE-2020-6080) vlc (3.0.10-0+deb9u1) stretch-security; urgency=medium . * New upstream release * debian/: Disable microdns plugin due to microdns security issues (CVE-2020-6071, CVE-2020-6072, CVE-2020-6073, CVE-2020-6077, CVE-2020-6078, CVE-2020-6079, CVE-2020-6080) * debian/patches: Fix build with stretch's libdvdread vlc (3.0.9.2-1) unstable; urgency=medium . * New upstream release * debian/patches: Remove patches integrated upstream * debian/copyright: - Bump copyright years - Update files * debian/upstream/signing-key.asc: Re-export upstream's signing key vlc (3.0.8-4) unstable; urgency=medium . * debian/control: Bump Standards-Version * debian/upstream: Apply upstream patches for chromechast support in avahi * debian/: Disable microdns plugin vlc (3.0.8-3) unstable; urgency=medium . * debian/control: - Replace libfreetype6-dev with libfreetype-dev - Bump Standards-Version * debian/: Build srt access plugin vlc (3.0.8-2) unstable; urgency=medium . * debian/: Revert "Switch back to libmodplug-dev since vlc now requires 0.8.9.". Patch configure.ac instead. vlc (3.0.8-1) unstable; urgency=medium . * New upstream release. - Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) - Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) - Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) - Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) - Fix a use after free in the ASF demuxer (CVE-2019-14533) - Fix a null dereference in the ASF demuxer (CVE-2019-14534) - Fix a division by zero in the CAF demuxer (CVE-2019-14498) - Fix a division by zero in the ASF demuxer (CVE-2019-14535) * debian/: Remove crystalhd plugin. libcrystalhd-dev is scheduled for removal. * debian/patches: Remove patches included upstream. * debian/control: Switch back to libmodplug-dev since vlc now requires 0.8.9. vlc (3.0.8-0+deb10u1) buster-security; urgency=high . * New upstream release. - Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) - Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) - Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) - Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) - Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) - Fix a use after free in the ASF demuxer (CVE-2019-14533) - Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) (Closes: #932131) - Fix a null dereference in the ASF demuxer (CVE-2019-14534) - Fix a division by zero in the CAF demuxer (CVE-2019-14498) - Fix a division by zero in the ASF demuxer (CVE-2019-14535) - Fix a division by zero when playing DVDs. (Closes: #929491, #923017, #932182) * debian/control: Bump libebml-dev B-D according to configure check changes. * debian/patches: Revert modplug version bump. We use the libopenmpt compat layer anyway. websockify (0.8.0+dfsg1-7+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add runtime depends on python{3,}-pkg-resources (Closes: #879224). wordpress (4.7.5+dfsg-2+deb9u6) stretch-security; urgency=high . * Importing Wordpress 4.7.17/5.4.1 updates Closes: #959391 - CVE-2020-11025 XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. - CVE-2020-11026 uploaded files to Media section to lead to script execution - CVE-2020-11027 Password reset link does not expire - CVE-2020-11028 Private posts can be found through searching by date - CVE-2020-11029 XSS in stats() method in class-wp-object-cache Not vulnerable: - CVE-2020-11030 (feature introduced 5.0) Special payload can execute scripts in block editor * Importing Wordpress 4.7.16/5.3.1 updates Closes: #946905 - CVE-2019-20043 an unprivileged user could make a post sticky via the REST API. - CVE-2019-20041 hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. Not vulnerable: - CVE-2019-20042 (function introduced 5.1.0) cross-site scripting (XSS) could be stored in well-crafted links - CVE-2019-16780 and CVE-2019-16781 (feature introduced 5.0) stored XSS vulnerability using block editor content. * Importing Wordpress 4.7.15/5.2.4 updates Closes: #942459 - CVE-2019-17674 Stored XSS in the Customizer - CVE-2019-17671 Viewing unauthenticated posts - CVE-2019-17672 Stored XSS to inject javascript into style tags - CVE-2019-17673 Poisoning JSON GET requests - CVE-2019-17669 SSRF in URL vaidation - CVE-2019-17675 Referer validation in admin screens * Importing Wordpress 4.7.14/5.2.3 updates Closes: #939543 - CVE-2019-16223 XSS in post previews - CVE-2019-16218 XSS in stored comments - CVE-2019-16220 Open redirect due to validation and sanitization - CVE-2019-16217 XSS in media uploads - CVE-2019-16219 XSS in shortcode previews - CVE-2019-16221 XSS in dashboard - CVE-2019-16222 XSS in URL sanitization * Security patches from 5.1.1/4.7.13 * Fixes XSS security hole in comments CVE-2019-9787 Closes: #924546 wpa (2:2.4-1+deb9u6) stretch; urgency=medium . * Refresh the patch for CVE-2019-16275 to include the missing inline function. * Add an upstream patch to fix the MAC randomisation issue with some cards (LP: #1867908, Closes: #954457) . wpa (2:2.4-1+deb9u5) stretch; urgency=medium . * SECURITY UPDATE: - AP mode PMF disconnection protection bypass. More details: + https://w1.fi/security/2019-7/ Closes: #940080 (CVE-2019-16275) xdg-utils (1.1.1-1+deb9u2) stretch; urgency=medium . * Apply patches: - Sanitise-window-name.patch fixes crash in xdg-screensaver. Closes: #910070, LP: #1743216, Upstream: BR108121. - Directories-with-spaces.patch corrects handling directories with spaces in the name. LP: #1848335, Upstream: #166. - Create-data-apps-dir.patch fixes xdg-mime with temporary $XDG_DATA_HOME. Closes: #652038. xml-security-c (1.7.3-4+deb9u3) stretch; urgency=medium . * [02c3993] New patch: Fix a length bug in concat method. Thanks to Scott Cantor (Closes: #922984) xtrlock (2.8+deb9u1) stretch; urgency=high . * CVE-2016-10894: Attempt to grab multitouch devices which are not intercepted via XGrabPointer. . xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events such as pan scrolling, "pinch and zoom", or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger. . This fix does not the situation where Eve plugs in a multitouch device *after* the screen has been locked. For more information on this angle, please see . (Closes: #830726) ====================================== Sat, 08 Feb 2020 - Debian 9.12 released ====================================== ========================================================================= [Date: Sat, 08 Feb 2020 11:46:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: btrfs-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x crc-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x crypto-dm-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x crypto-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x dasd-extra-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x dasd-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x ext4-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x fat-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x fuse-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x isofs-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x kernel-image-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x linux-headers-4.9.0-11-all-s390x | 4.9.189-3+deb9u2 | s390x linux-headers-4.9.0-11-s390x | 4.9.189-3+deb9u2 | s390x linux-image-4.9.0-11-s390x | 4.9.189-3+deb9u2 | s390x linux-image-4.9.0-11-s390x-dbg | 4.9.189-3+deb9u2 | s390x loop-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x md-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x multipath-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x nbd-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x nic-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x scsi-core-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x scsi-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x udf-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x virtio-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x xfs-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x zlib-modules-4.9.0-11-s390x-di | 4.9.189-3+deb9u2 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-headers-4.9.0-11-all | 4.9.189-3+deb9u2 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:16 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: acpi-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 ata-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 btrfs-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 cdrom-core-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 crc-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 crypto-dm-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 crypto-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 efi-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 event-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 ext4-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 fat-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 fb-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 firewire-core-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 fuse-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 hyperv-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 i2c-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 input-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 isofs-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 jfs-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 kernel-image-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 linux-headers-4.9.0-11-all-amd64 | 4.9.189-3+deb9u2 | amd64 linux-headers-4.9.0-11-amd64 | 4.9.189-3+deb9u2 | amd64 linux-headers-4.9.0-11-rt-amd64 | 4.9.189-3+deb9u2 | amd64 linux-image-4.9.0-11-amd64 | 4.9.189-3+deb9u2 | amd64 linux-image-4.9.0-11-amd64-dbg | 4.9.189-3+deb9u2 | amd64 linux-image-4.9.0-11-rt-amd64 | 4.9.189-3+deb9u2 | amd64 linux-image-4.9.0-11-rt-amd64-dbg | 4.9.189-3+deb9u2 | amd64 loop-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 md-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 mmc-core-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 mmc-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 mouse-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 multipath-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 nbd-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 nic-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 nic-pcmcia-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 nic-shared-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 nic-usb-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 nic-wireless-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 ntfs-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 pata-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 pcmcia-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 pcmcia-storage-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 ppp-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 sata-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 scsi-core-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 scsi-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 serial-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 sound-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 speakup-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 squashfs-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 udf-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 uinput-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 usb-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 usb-serial-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 usb-storage-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 virtio-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 xfs-modules-4.9.0-11-amd64-di | 4.9.189-3+deb9u2 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ata-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 btrfs-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 cdrom-core-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 crc-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 crypto-dm-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 crypto-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 efi-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 event-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 ext4-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 fat-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 fb-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 fuse-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 i2c-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 input-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 isofs-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 jfs-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 kernel-image-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 leds-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 linux-headers-4.9.0-11-all-arm64 | 4.9.189-3+deb9u2 | arm64 linux-headers-4.9.0-11-arm64 | 4.9.189-3+deb9u2 | arm64 linux-image-4.9.0-11-arm64 | 4.9.189-3+deb9u2 | arm64 linux-image-4.9.0-11-arm64-dbg | 4.9.189-3+deb9u2 | arm64 loop-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 md-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 mmc-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 multipath-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 nbd-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 nic-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 nic-shared-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 nic-usb-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 nic-wireless-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 ppp-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 sata-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 scsi-core-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 scsi-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 squashfs-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 udf-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 uinput-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 usb-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 usb-storage-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 virtio-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 xfs-modules-4.9.0-11-arm64-di | 4.9.189-3+deb9u2 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:32 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: btrfs-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel cdrom-core-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel crc-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel crypto-dm-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel crypto-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel event-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel ext4-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel fat-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel fb-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel fuse-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel input-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel ipv6-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel isofs-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel jffs2-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel jfs-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel kernel-image-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel leds-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel linux-headers-4.9.0-11-all-armel | 4.9.189-3+deb9u2 | armel linux-headers-4.9.0-11-marvell | 4.9.189-3+deb9u2 | armel linux-image-4.9.0-11-marvell | 4.9.189-3+deb9u2 | armel linux-image-4.9.0-11-marvell-dbg | 4.9.189-3+deb9u2 | armel loop-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel md-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel minix-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel mmc-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel mouse-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel mtd-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel multipath-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel nbd-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel nic-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel nic-shared-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel nic-usb-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel ppp-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel sata-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel scsi-core-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel squashfs-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel udf-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel uinput-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel usb-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel usb-serial-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel usb-storage-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel zlib-modules-4.9.0-11-marvell-di | 4.9.189-3+deb9u2 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ata-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf btrfs-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf crc-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf crypto-dm-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf crypto-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf efi-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf event-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf ext4-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf fat-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf fb-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf fuse-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf i2c-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf input-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf isofs-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf jfs-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf kernel-image-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf leds-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf linux-headers-4.9.0-11-all-armhf | 4.9.189-3+deb9u2 | armhf linux-headers-4.9.0-11-armmp | 4.9.189-3+deb9u2 | armhf linux-headers-4.9.0-11-armmp-lpae | 4.9.189-3+deb9u2 | armhf linux-image-4.9.0-11-armmp | 4.9.189-3+deb9u2 | armhf linux-image-4.9.0-11-armmp-dbg | 4.9.189-3+deb9u2 | armhf linux-image-4.9.0-11-armmp-lpae | 4.9.189-3+deb9u2 | armhf linux-image-4.9.0-11-armmp-lpae-dbg | 4.9.189-3+deb9u2 | armhf loop-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf md-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf mmc-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf mtd-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf multipath-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf nbd-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf nic-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf nic-shared-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf nic-usb-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf nic-wireless-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf pata-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf ppp-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf sata-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf scsi-core-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf scsi-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf squashfs-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf udf-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf uinput-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf usb-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf usb-storage-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf virtio-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf zlib-modules-4.9.0-11-armmp-di | 4.9.189-3+deb9u2 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:47 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: acpi-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 acpi-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 ata-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 ata-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 btrfs-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 btrfs-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 cdrom-core-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 cdrom-core-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 crc-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 crc-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 crypto-dm-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 crypto-dm-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 crypto-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 crypto-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 efi-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 efi-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 event-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 event-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 ext4-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 ext4-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 fat-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 fat-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 fb-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 fb-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 firewire-core-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 firewire-core-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 fuse-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 fuse-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 hyperv-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 hyperv-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 i2c-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 i2c-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 input-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 input-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 isofs-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 isofs-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 jfs-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 jfs-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 kernel-image-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 kernel-image-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 linux-headers-4.9.0-11-686 | 4.9.189-3+deb9u2 | i386 linux-headers-4.9.0-11-686-pae | 4.9.189-3+deb9u2 | i386 linux-headers-4.9.0-11-all-i386 | 4.9.189-3+deb9u2 | i386 linux-headers-4.9.0-11-rt-686-pae | 4.9.189-3+deb9u2 | i386 linux-image-4.9.0-11-686 | 4.9.189-3+deb9u2 | i386 linux-image-4.9.0-11-686-dbg | 4.9.189-3+deb9u2 | i386 linux-image-4.9.0-11-686-pae | 4.9.189-3+deb9u2 | i386 linux-image-4.9.0-11-686-pae-dbg | 4.9.189-3+deb9u2 | i386 linux-image-4.9.0-11-rt-686-pae | 4.9.189-3+deb9u2 | i386 linux-image-4.9.0-11-rt-686-pae-dbg | 4.9.189-3+deb9u2 | i386 loop-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 loop-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 md-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 md-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 mmc-core-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 mmc-core-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 mmc-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 mmc-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 mouse-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 mouse-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 multipath-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 multipath-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 nbd-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 nbd-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 nic-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 nic-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 nic-pcmcia-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 nic-pcmcia-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 nic-shared-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 nic-shared-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 nic-usb-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 nic-usb-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 nic-wireless-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 nic-wireless-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 ntfs-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 ntfs-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 pata-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 pata-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 pcmcia-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 pcmcia-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 pcmcia-storage-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 pcmcia-storage-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 ppp-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 ppp-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 sata-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 sata-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 scsi-core-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 scsi-core-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 scsi-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 scsi-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 serial-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 serial-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 sound-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 sound-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 speakup-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 speakup-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 squashfs-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 squashfs-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 udf-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 udf-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 uinput-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 uinput-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 usb-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 usb-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 usb-serial-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 usb-serial-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 usb-storage-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 usb-storage-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 virtio-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 virtio-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 xfs-modules-4.9.0-11-686-di | 4.9.189-3+deb9u2 | i386 xfs-modules-4.9.0-11-686-pae-di | 4.9.189-3+deb9u2 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:47:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-headers-4.9.0-11-all-mips | 4.9.189-3+deb9u2 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:48:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel btrfs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel crc-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel crypto-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel event-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel ext4-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel fat-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel fuse-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel hfs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel input-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel isofs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel jfs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel kernel-image-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel linux-headers-4.9.0-11-5kc-malta | 4.9.189-3+deb9u2 | mips, mips64el, mipsel linux-headers-4.9.0-11-octeon | 4.9.189-3+deb9u2 | mips, mips64el, mipsel linux-image-4.9.0-11-5kc-malta | 4.9.189-3+deb9u2 | mips, mips64el, mipsel linux-image-4.9.0-11-5kc-malta-dbg | 4.9.189-3+deb9u2 | mips, mips64el, mipsel linux-image-4.9.0-11-octeon | 4.9.189-3+deb9u2 | mips, mips64el, mipsel linux-image-4.9.0-11-octeon-dbg | 4.9.189-3+deb9u2 | mips, mips64el, mipsel loop-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel md-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel minix-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel multipath-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel nbd-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel nic-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel nic-shared-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel nic-usb-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel ntfs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel pata-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel ppp-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel rtc-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel sata-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel scsi-core-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel scsi-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel sound-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel squashfs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel udf-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel usb-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel usb-serial-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel usb-storage-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel virtio-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel xfs-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel zlib-modules-4.9.0-11-octeon-di | 4.9.189-3+deb9u2 | mips, mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:48:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel ata-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel btrfs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel cdrom-core-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel crc-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel crypto-dm-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel crypto-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel event-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel ext4-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel fat-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel fuse-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel hfs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel i2c-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel input-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel isofs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel jfs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel kernel-image-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel linux-headers-4.9.0-11-4kc-malta | 4.9.189-3+deb9u2 | mips, mipsel linux-image-4.9.0-11-4kc-malta | 4.9.189-3+deb9u2 | mips, mipsel linux-image-4.9.0-11-4kc-malta-dbg | 4.9.189-3+deb9u2 | mips, mipsel loop-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel md-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel minix-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel mmc-core-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel mmc-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel mouse-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel multipath-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel nbd-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel nic-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel nic-shared-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel nic-usb-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel nic-wireless-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel ntfs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel pata-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel ppp-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel sata-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel scsi-core-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel scsi-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel sound-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel squashfs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel udf-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel usb-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel usb-serial-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel usb-storage-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel virtio-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel xfs-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel zlib-modules-4.9.0-11-4kc-malta-di | 4.9.189-3+deb9u2 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:48:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el ata-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el btrfs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el cdrom-core-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el crc-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el crypto-dm-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el crypto-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el event-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el ext4-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el fat-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el fuse-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el hfs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el i2c-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el input-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el isofs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el jfs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el kernel-image-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el linux-headers-4.9.0-11-all-mips64el | 4.9.189-3+deb9u2 | mips64el loop-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el md-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el minix-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el mmc-core-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el mmc-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el mouse-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el multipath-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el nbd-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el nic-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el nic-shared-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el nic-usb-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el nic-wireless-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el ntfs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el pata-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el ppp-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el sata-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el scsi-core-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el scsi-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el sound-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el squashfs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el udf-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el usb-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el usb-serial-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el usb-storage-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el virtio-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el xfs-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el zlib-modules-4.9.0-11-5kc-malta-di | 4.9.189-3+deb9u2 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:48:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: affs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel ata-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel btrfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel cdrom-core-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel crc-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel crypto-dm-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel crypto-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel event-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel ext4-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel fat-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel fb-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel firewire-core-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel fuse-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel hfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel input-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel isofs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel jfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel kernel-image-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel linux-headers-4.9.0-11-loongson-3 | 4.9.189-3+deb9u2 | mips64el, mipsel linux-image-4.9.0-11-loongson-3 | 4.9.189-3+deb9u2 | mips64el, mipsel linux-image-4.9.0-11-loongson-3-dbg | 4.9.189-3+deb9u2 | mips64el, mipsel loop-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel md-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel minix-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel multipath-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel nbd-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel nfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel nic-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel nic-shared-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel nic-usb-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel nic-wireless-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel ntfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel pata-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel ppp-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel sata-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel scsi-core-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel scsi-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel sound-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel speakup-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel squashfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel udf-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel usb-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel usb-serial-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel usb-storage-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel virtio-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel xfs-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel zlib-modules-4.9.0-11-loongson-3-di | 4.9.189-3+deb9u2 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:48:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-headers-4.9.0-11-all-mipsel | 4.9.189-3+deb9u2 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:48:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ata-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el btrfs-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el cdrom-core-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el crc-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el crypto-dm-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el crypto-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el event-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el ext4-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el fancontrol-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el fat-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el firewire-core-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el fuse-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el hypervisor-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el input-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el isofs-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el jfs-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el kernel-image-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el linux-headers-4.9.0-11-all-ppc64el | 4.9.189-3+deb9u2 | ppc64el linux-headers-4.9.0-11-powerpc64le | 4.9.189-3+deb9u2 | ppc64el linux-image-4.9.0-11-powerpc64le | 4.9.189-3+deb9u2 | ppc64el linux-image-4.9.0-11-powerpc64le-dbg | 4.9.189-3+deb9u2 | ppc64el loop-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el md-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el mouse-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el multipath-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el nbd-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el nic-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el nic-shared-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el ppp-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el sata-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el scsi-core-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el scsi-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el serial-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el squashfs-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el udf-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el uinput-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el usb-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el usb-serial-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el usb-storage-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el virtio-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el xfs-modules-4.9.0-11-powerpc64le-di | 4.9.189-3+deb9u2 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:51:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libstd-rust-1.24 | 1.24.1+dfsg1-1~deb9u4 | amd64, arm64, armel, armhf, i386, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by rustc) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:51:25 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr-l10n-as | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-as | 60.9.0esr-1~deb9u1 | all firefox-esr-l10n-bn-bd | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-bn-bd | 60.9.0esr-1~deb9u1 | all firefox-esr-l10n-bn-in | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-bn-in | 60.9.0esr-1~deb9u1 | all firefox-esr-l10n-en-za | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-en-za | 60.9.0esr-1~deb9u1 | all firefox-esr-l10n-mai | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-mai | 60.9.0esr-1~deb9u1 | all firefox-esr-l10n-ml | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-ml | 60.9.0esr-1~deb9u1 | all firefox-esr-l10n-or | 52.9.0esr-1~deb9u1 | all firefox-esr-l10n-or | 60.9.0esr-1~deb9u1 | all iceweasel-dev | 52.9.0esr-1~deb9u1 | all iceweasel-l10n-as | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-as | 1:60.9.0esr-1~deb9u1 | all iceweasel-l10n-bn-bd | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-bn-bd | 1:60.9.0esr-1~deb9u1 | all iceweasel-l10n-bn-in | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-bn-in | 1:60.9.0esr-1~deb9u1 | all iceweasel-l10n-en-za | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-en-za | 1:60.9.0esr-1~deb9u1 | all iceweasel-l10n-mai | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-mai | 1:60.9.0esr-1~deb9u1 | all iceweasel-l10n-ml | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-ml | 1:60.9.0esr-1~deb9u1 | all iceweasel-l10n-or | 1:52.9.0esr-1~deb9u1 | all iceweasel-l10n-or | 1:60.9.0esr-1~deb9u1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by firefox-esr - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:51:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr-dev | 52.9.0esr-1~deb9u1 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by firefox-esr - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:51:39 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr-dev | 52.9.0esr-1~deb9u1 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by firefox-esr - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:51:47 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firefox-esr-dev | 52.9.0esr-1~deb9u1 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by firefox-esr - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:52:04 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: linux-headers-4.9.0-11-common | 4.9.189-3+deb9u2 | all linux-headers-4.9.0-11-common-rt | 4.9.189-3+deb9u2 | all linux-support-4.9.0-11 | 4.9.189-3+deb9u2 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:53:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: calendar-google-provider | 1:52.9.1-1~deb9u1 | all calendar-google-provider | 1:60.9.0-1~deb9u1 | all icedove-dev | 1:52.9.1-1~deb9u1 | all icedove-l10n-bn-bd | 1:52.9.1-1~deb9u1 | all icedove-l10n-pa-in | 1:52.9.1-1~deb9u1 | all icedove-l10n-ta-lk | 1:52.9.1-1~deb9u1 | all iceowl-l10n-bn-bd | 1:52.9.1-1~deb9u1 | all iceowl-l10n-pa-in | 1:52.9.1-1~deb9u1 | all iceowl-l10n-ta-lk | 1:52.9.1-1~deb9u1 | all lightning-l10n-bn-bd | 1:52.9.1-1~deb9u1 | all lightning-l10n-pa-in | 1:52.9.1-1~deb9u1 | all lightning-l10n-ta-lk | 1:52.9.1-1~deb9u1 | all thunderbird-l10n-bn-bd | 1:52.9.1-1~deb9u1 | all thunderbird-l10n-pa-in | 1:52.9.1-1~deb9u1 | all thunderbird-l10n-ta-lk | 1:52.9.1-1~deb9u1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by thunderbird - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:54:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: thunderbird-dev | 1:52.9.1-1~deb9u1 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by thunderbird - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:54:08 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: thunderbird-dev | 1:52.9.1-1~deb9u1 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by thunderbird - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:54:14 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: thunderbird-dev | 1:52.9.1-1~deb9u1 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by thunderbird - based on source metadata) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:36:47 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: ruby-simple-form | 3.2.0-1 | source, all Closed bugs: 941613 ------------------- Reason ------------------- RoM / RoST; unused; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:37:05 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: trafficserver | 7.0.0-6+deb9u2 | source, amd64, arm64, armhf, i386, mips, mips64el, mipsel, ppc64el trafficserver-dev | 7.0.0-6+deb9u2 | amd64, arm64, armhf, i386, mips, mips64el, mipsel, ppc64el trafficserver-experimental-plugins | 7.0.0-6+deb9u2 | amd64, arm64, armhf, i386, mips, mips64el, mipsel, ppc64el Closed bugs: 942793 ------------------- Reason ------------------- RoM / RoST; unsupportable; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:37:23 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: firetray | 0.6.1+dfsg-1.2~deb9u1 | source xul-ext-firetray | 0.6.1+dfsg-1.2~deb9u1 | all Closed bugs: 946123 ------------------- Reason ------------------- ROM; Orphaned and dead upstream, not needed any more ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:37:42 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: python-lamson | 1.0pre11-1.3 | source, all Closed bugs: 948447 ------------------- Reason ------------------- RoQA; broken since python-daemon 2.0.5-1 ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:38:02 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: koji | 1.10.0-1+deb9u1 | source koji-client | 1.10.0-1+deb9u1 | all koji-common | 1.10.0-1+deb9u1 | all koji-servers | 1.10.0-1+deb9u1 | all Closed bugs: 950083 ------------------- Reason ------------------- RoM / RoST; security issues ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 08 Feb 2020 11:38:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libradare2-1.1 | 1.1.0+dfsg-5 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libradare2-common | 1.1.0+dfsg-5 | all libradare2-dev | 1.1.0+dfsg-5 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x radare2 | 1.1.0+dfsg-5 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 950693 ------------------- Reason ------------------- RoST; security issues; upstream do not offer stable support ---------------------------------------------- ========================================================================= apache2 (2.4.25-3+deb9u9) stretch-security; urgency=medium . [ Xavier Guimard ] * Use correct patch for CVE-2019-10092. This fixes a regression in mod_proxy_balancer (Closes: #941202) base-files (9.9+deb9u12) stretch; urgency=medium . * Change /etc/debian_version to 9.12, for Debian 9.12 point release. bird (1.6.3-2+deb9u1) stretch-security; urgency=medium . * [CVE-2019-16159]: Backport the two other security fixes from BIRD 1.6.8 cacti (0.8.8h+ds1-10+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2019-17358: insufficient validation of form input leading to unsafe unserialization operations and memory corruption (Closes: #947375). cargo (0.35.0-2~deb9u2) stretch; urgency=medium . * Add correct binaries for armhf. cargo (0.35.0-2~deb9u1) stretch; urgency=medium . * Backport to stretch. * Don't use the packaged libgit, it's too old. * Bootstrap using upstream binaries. cargo (0.35.0-1) unstable; urgency=medium . * New upstream release. cargo (0.33.0-3) unstable; urgency=medium . * Drop patch to capture rustc error output, it is unnecessary. * Add upstream patch to fix typenum bug. cargo (0.33.0-2) unstable; urgency=medium . * Add patch to capture rustc error output if extra-verbose. cargo (0.33.0-1) unstable; urgency=medium . * New upstream release. cargo (0.32.0-2~exp1) experimental; urgency=medium . * Drop patch 2007, for disabling incremental build on sparc64. Closes: bug#917048, Thanks to John Paul Adrian Glaubitz. cargo (0.32.0-1) unstable; urgency=medium . * debian-cargo-wrapper: Support DEB_CARGO_INSTALL_PREFIX for installing into somewhere other than /usr, e.g. / or /usr/lib/cargo. * Move dev scripts from /usr/share/cargo into /usr/share/cargo/scripts. * Increase yet another timeout duration for slower architectures. cargo (0.32.0-1~exp3) experimental; urgency=medium . [ Matt Kraai ] * Rename bash completion script so that it's used. . [ Ximin Luo ] * Further increase a timeout duration for mips. * debian-cargo-wrapper: add --link-to-system option cargo (0.32.0-1~exp2) experimental; urgency=medium . * Try to deal with the various test failures as suggested by upstream. cargo (0.32.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo will now download crates in parallel using HTTP/2. * You can now rename packages in your Cargo.toml We have a guide on how to use the package key in your dependencies. . [ Vasudev Kamath ] * Fix the scripts related to tarball creation * Update unsuspicious file list for 0.32.0 * Update copyright information for 0.32.0. * Add lintian-override for source-is-missing, for javascript file from vendored crate documentation. File is not really shipped. . cargo (0.31.1-1) unstable; urgency=medium . * Upload 0.31.1 to unstable. cargo (0.31.1-1) unstable; urgency=medium . * Upload 0.31.1 to unstable. cargo (0.31.1-1~exp1) experimental; urgency=medium . [ upstream ] * [1.30.0] Backport msys progress bar fix for stable. . [ Ximin Luo ] * debian-cargo-vendor: only store differences between vendor-patches and debcargo-conf. . [ Vasudev Kamath ] * Do not delete Cargo.lock in debian-cargo-vendor script as its referenced later in make_orig_multi.sh. cargo (0.31.0-4) unstable; urgency=medium . * Don't set RUSTFLAGS in d/rules. (Closes: #914110) cargo (0.31.0-3) unstable; urgency=medium . * Tweak the cargo wrapper script to be more robust. cargo (0.31.0-2) unstable; urgency=medium . * Fix test failure on some architectures due to hash ordering. * Bump libgit2 dependency version constraint. (Closes: #899038) cargo (0.31.0-1) unstable; urgency=medium . * Don't run tests when doing arch-indep build. * Fix package include/exclude tests. cargo (0.31.0-1~exp1) experimental; urgency=medium . * New upstream release. * Simplify build scripts and add a Debian wrapper for cargo. cargo (0.30.0-1) unstable; urgency=medium . * Upload to unstable. . cargo (0.30.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo can silently fix some bad lockfiles You can use --locked to disable this behaviour. * cargo-install will now allow you to cross compile an install using --target. * Added the cargo-fix subcommand to automatically move project code from 2015 edition to 2018. . [ Vasudev Kamath ] * Refresh patch 2004 for new release. * Add openssl crates fuzz,test doc and apps file to unsuspicious list. * debian/patches: + Drop patch 0774e97da3894f07ed5b6f7db175027a9bc4718b.patch for adding cross compile support. Its merged upstream. + Refresh patch 2001 to newer version of libgit2-sys. + Refresh patch 2003 to newer version of libssh2-sys. + Drop patch 1001 which is merged upstream. + Refresh patch 2005 and 2007 to remove fuzz. + Refresh patch 2002 with newer release. * debian/control: + Mark package compliance with Debian policy 4.2.1. * Update copyright information for new release. * debian/rules: + Use DEB_BUILD_OPTIONS to disable tests on powerpc and powerpcspe architecture. Closes: bug#908961, Thanks to Helmut Grohne. cargo (0.30.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo can silently fix some bad lockfiles You can use --locked to disable this behaviour. * cargo-install will now allow you to cross compile an install using --target. * Added the cargo-fix subcommand to automatically move project code from 2015 edition to 2018. . [ Vasudev Kamath ] * Refresh patch 2004 for new release. * Add openssl crates fuzz,test doc and apps file to unsuspicious list. * debian/patches: + Drop patch 0774e97da3894f07ed5b6f7db175027a9bc4718b.patch for adding cross compile support. Its merged upstream. + Refresh patch 2001 to newer version of libgit2-sys. + Refresh patch 2003 to newer version of libssh2-sys. + Drop patch 1001 which is merged upstream. + Refresh patch 2005 and 2007 to remove fuzz. + Refresh patch 2002 with newer release. * debian/control: + Mark package compliance with Debian policy 4.2.1. * Update copyright information for new release. * debian/rules: + Use DEB_BUILD_OPTIONS to disable tests on powerpc and powerpcspe architecture. Closes: bug#908961, Thanks to Helmut Grohne. cargo (0.29.0-1) unstable; urgency=medium . * Merge changes of 0.28.0-2, which was missed in first release of 0.29.0 * Upload to unstable. * Refresh patch for `install --target` feature for release 0.29.0 . cargo (0.29.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo will now no longer allow you to publish crates with build scripts that modify the src directory. The src directory in a crate should be considered to be immutable. . [ Vasudev Kamath ] * Update unsuspicious text for new release 0.29.0 * Change pattern for embedded zlib * debian/patches: + Refresh patches 2001, 2002, 2003, 2004 to work with new release and new vendor files. + Add patch 1001 to fix deprecated warnings on usage of "casues" from failure crate, * Update copyright information for new release. * Make package compliant with policy 4.2.0. cargo (0.29.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo will now no longer allow you to publish crates with build scripts that modify the src directory. The src directory in a crate should be considered to be immutable. . [ Vasudev Kamath ] * Update unsuspicious text for new release 0.29.0 * Change pattern for embedded zlib * debian/patches: + Refresh patches 2001, 2002, 2003, 2004 to work with new release and new vendor files. + Add patch 1001 to fix deprecated warnings on usage of "casues" from failure crate, * Update copyright information for new release. * Make package compliant with policy 4.2.0. cargo (0.28.0-2) unstable; urgency=medium . * Re-add `install --target` functionality, needed by dh-cargo. cargo (0.28.0-1) unstable; urgency=medium . * Upload to unstable . cargo (0.28.0-1~exp3) experimental; urgency=medium . * Disable incremental compilation tests on sparc64 architecture. Closes: bug#905623, Thanks to John Paul Adrian Glaubitz. . cargo (0.28.0-1~exp2) experimental; urgency=medium . * Add patch 2005 to disable fetch_platform_specific_dependencies unit tests. Upstream issue #5864. . cargo (0.28.0-1~exp1) experimental; urgency=medium . [ upstream ] * cargo-metadata now includes authors, categories, keywords, readme, and repository fields. * cargo-metadata now includes a package's metadata table. * Added the --target-dir optional argument. This allows you to specify a different directory than target for placing compilation artifacts. * Cargo will be adding automatic target inference for binaries, benchmarks, examples, and tests in the Rust 2018 edition. If your project specifies specific targets e.g. using [[bin]] and have other binaries in locations where cargo would infer a binary, Cargo will produce a warning. You can disable this feature ahead of time by setting any of the following autobins, autobenches, autoexamples, autotests to false. * Cargo will now cache compiler information. This can be disabled by setting CARGO_CACHE_RUSTC_INFO=0 in your environment. . [ Sylvestre Ledru ] * Update of the alioth ML address. . [ Vasudev Kamath ] * Update README.source to mention preferred way of upload. * Update unsuspicious files for new release. * debian/patches: + Refresh patch 2007 for new release. + Refresh patch 2001 for new version of libgit2-sys + Drop patch 2008 as its merged upstream. + Add patch 2003 for forcing use of libssh2 from system, which was now controlled by environment variable. * debian/copyright: + Update copyright information for new release. * Mark package compliance with Debian Policy 4.1.5. cargo (0.28.0-1~exp3) experimental; urgency=medium . * Disable incremental compilation tests on sparc64 architecture. Closes: bug#905623, Thanks to John Paul Adrian Glaubitz. cargo (0.28.0-1~exp2) experimental; urgency=medium . * Add patch 2005 to disable fetch_platform_specific_dependencies unit tests. Upstream issue #5864. cargo (0.28.0-1~exp1) experimental; urgency=medium . [ upstream ] * cargo-metadata now includes authors, categories, keywords, readme, and repository fields. * cargo-metadata now includes a package's metadata table. * Added the --target-dir optional argument. This allows you to specify a different directory than target for placing compilation artifacts. * Cargo will be adding automatic target inference for binaries, benchmarks, examples, and tests in the Rust 2018 edition. If your project specifies specific targets e.g. using [[bin]] and have other binaries in locations where cargo would infer a binary, Cargo will produce a warning. You can disable this feature ahead of time by setting any of the following autobins, autobenches, autoexamples, autotests to false. * Cargo will now cache compiler information. This can be disabled by setting CARGO_CACHE_RUSTC_INFO=0 in your environment. . [ Sylvestre Ledru ] * Update of the alioth ML address. . [ Vasudev Kamath ] * Update README.source to mention preferred way of upload. * Update unsuspicious files for new release. * debian/patches: + Refresh patch 2007 for new release. + Refresh patch 2001 for new version of libgit2-sys + Drop patch 2008 as its merged upstream. + Add patch 2003 for forcing use of libssh2 from system, which was now controlled by environment variable. * debian/copyright: + Update copyright information for new release. * Mark package compliance with Debian Policy 4.1.5. cargo (0.27.0-2) unstable; urgency=medium . * Support cross-compile install (upstream PR #5614). cargo (0.27.0-1) unstable; urgency=medium . * Upload to unstable. . cargo (0.27.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo will now output path to custom commands when -v is passed with --list. * Cargo binary version is now same as the Rust version. * Cargo.lock files are now included in published crates. . [ Vasudev Kamath ] * Update patch 2004 for the new release. * Add files from clap and vec_map to unsuspicious list. * debian/patches: + Update path to libgit2-sys in patch 2001. + Adjust file name and paths to test files to be patched in patch 2002. + Drop all unused imports and comment out functions not just drop #[test] in patch 2002. + Drop patch 1001 as its now part of new cargo release. + Refresh patch 2007. * debian/copyright: + Update copyright information for new vendored crates. cargo (0.27.0-1~exp1) experimental; urgency=medium . [ upstream ] * Cargo will now output path to custom commands when -v is passed with --list. * Cargo binary version is now same as the Rust version. * Cargo.lock files are now included in published crates. . [ Vasudev Kamath ] * Update patch 2004 for the new release. * Add files from clap and vec_map to unsuspicious list. * debian/patches: + Update path to libgit2-sys in patch 2001. + Adjust file name and paths to test files to be patched in patch 2002. + Drop all unused imports and comment out functions not just drop #[test] in patch 2002. + Drop patch 1001 as its now part of new cargo release. + Refresh patch 2007. * debian/copyright: + Update copyright information for new vendored crates. cargo (0.26.0-1) unstable; urgency=medium . * Upload to unstable. . cargo (0.26.0-1~exp1) experimental; urgency=medium . [upstream] * cargo new now defaults to create binary crate instead of library crate. * cargo new will no longer name crates with name starting with rust- or ending with -rs. * cargo doc is faster as it uses cargo check instead of full rebuild. . [Vasudev Kamath] * Refresh the patch 2004 against newer Cargo.toml * Mark package compliance with Debian Policy 4.1.4 * debian/patches: + Drop patch 2003 and 2005, the doc should be built from source using mdbook. + Drop patch 2006, the wasm32 related test seems to be dropped upstream. + Drop patch 1002, merged upstream. + Add tests/generate_lock_file.rs to patch 2002 to disable no_index_update test, this tries to access network. + Refresh patch 1001 with new upstream release. * debian/rules: disable execution of src/ci/dox.sh, this script is no longer present in new release. * debian/copyright: + Add copyright for humantime crate. + Add copyright for lazycell crate. + Add copyright for quick-error crate + Add copyright for proc-macro2 crate. cargo (0.26.0-1~exp1) experimental; urgency=medium . [upstream] * cargo new now defaults to create binary crate instead of library crate. * cargo new will no longer name crates with name starting with rust- or ending with -rs. * cargo doc is faster as it uses cargo check instead of full rebuild. . [Vasudev Kamath] * Refresh the patch 2004 against newer Cargo.toml * Mark package compliance with Debian Policy 4.1.4 * debian/patches: + Drop patch 2003 and 2005, the doc should be built from source using mdbook. + Drop patch 2006, the wasm32 related test seems to be dropped upstream. + Drop patch 1002, merged upstream. + Add tests/generate_lock_file.rs to patch 2002 to disable no_index_update test, this tries to access network. + Refresh patch 1001 with new upstream release. * debian/rules: disable execution of src/ci/dox.sh, this script is no longer present in new release. * debian/copyright: + Add copyright for humantime crate. + Add copyright for lazycell crate. + Add copyright for quick-error crate + Add copyright for proc-macro2 crate. cargo (0.25.0-3) unstable; urgency=medium . [ Ximin Luo ] * Update Vcs-* fields to salsa . [ Vasudev Kamath ] * Add patch to prevent incremental builds on sparc64. Closes: bug#895300, Thanks to John Paul Adrian Glaubitz. clamav (0.102.1+dfsg-0+deb9u2) stretch; urgency=medium . * clamav-daemon: Correct error from ScanOnAccess option removal so that setting LogFile options via DebConf works again (Closes: #950296) . clamav (0.102.1+dfsg-0+deb9u1) stretch; urgency=medium . * Import 0.102.1 (Closes: #945265) - CVE-2019-15961 (A Denial-of-Service as a result of excessively long scan times). - Let freshclam show progress during download (Closes: #690789). * Update symbol file. * Add libfreshclam to the libclamav9 package. * Add the clamonacc binary to the clamav-daemon package. * Drop ScanOnAccess option. The clamonacc provides this functionality. clamav (0.102.1+dfsg-0+deb9u1) stretch; urgency=medium . * Import 0.102.1 (Closes: #945265) - CVE-2019-15961 (A Denial-of-Service as a result of excessively long scan times). - Let freshclam show progress during download (Closes: #690789). * Update symbol file. * Add libfreshclam to the libclamav9 package. * Add the clamonacc binary to the clamav-daemon package. * Drop ScanOnAccess option. The clamonacc provides this functionality. clamav (0.101.4+dfsg-1) unstable; urgency=medium . * Import 0.101.4 - CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs) (Closes:934359) - CVE-2019-12900 (An out of bounds write was possible within ClamAV's NSIS bzip) - update symbols file (bump to 101.4 and drop unused cli_strnstr). clamav (0.101.4+dfsg-0+deb10u1) buster; urgency=medium . * Import 0.101.4 - CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs) (Closes:934359) - CVE-2019-12900 (An out of bounds write was possible within ClamAV's NSIS bzip) - update symbols file (bump to 101.4 and drop unused cli_strnstr). cups (2.2.1-8+deb9u5) stretch; urgency=medium . * Backport upstream security fix: - CVE-2019-2228: The `ippSetValuetag` function did not validate the default language value (Closes: #946782) cyrus-imapd (2.5.10-3+deb9u2) stretch-security; urgency=medium . * Add patch to avoid mailbox creation as administrator (Closes: #CVE-2019-19783) cyrus-sasl2 (2.1.27~101-g0780600+dfsg-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Off-by-one in _sasl_add_string function (CVE-2019-19906) (Closes: #947043) davical (1.1.5-1+deb9u1) stretch-security; urgency=high . * Fix three cross-site scripting and cross-site request forgery vulnerabilities in the web administration front-end: CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343) debian-edu-config (1.929+deb9u4) stretch-security; urgency=high . * Security fix for CVE-2019-3467 . [ Wolfgang Schweer ] * share/debian-edu-config/tools/kerberos-kdc-init: - Set proper rights for users in kadm5.acl file. (Closes: #946797) * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades. . [ Holger Levsen ] * Improve debian/debian-edu-config.postinst fix to only run once on upgrades. . [ Dominik George ] * Add NEWS to warn administrators with possible local changes. debian-installer (20170615+deb9u8) stretch; urgency=medium . [ Samuel Thibault ] * build/util/grub-gencfg: Set gfxpayload=keep in submenus too, to fix unreadable fonts on hidpi displays in netboot images booted with EFI. (See: #935546) . [ Cyril Brulebois ] * Bump linux ABI to 4.9.0-12. * Update USE_UDEBS_FROM default from unstable to stretch; debian/rules uses heuristics to set the right value anyway, but that should help users perform local builds without having to know about those heuristics. Thanks to Carsten Schoenert for the report. debian-installer-netboot-images (20170615+deb9u8) stretch; urgency=medium . * Update to 20170615+deb9u8 images, from stretch-proposed-updates debian-lan-config (0.23+deb9u1) stretch-security; urgency=high . * Fix kadmin access rules. * Add NEWS file. debian-security-support (2019.12.12~deb9u2) stretch-security; urgency=medium . * Rebuild for stretch-security. * Use debian/compat and depends on debhelper to support building on stretch. debian-security-support (2019.11.16) unstable; urgency=medium . * Add chromium to security-support-ended.deb9. * d/rules: update to NEXT_VERSION_ID=11. debian-security-support (2019.11.15) unstable; urgency=medium . * Team upload. * Add libqb to security-support-ended.deb8. debian-security-support (2019.11.01) unstable; urgency=medium . * Remove nodejs from security-support-limited as it is supported since the Buster release. Closes: #931376. * Add empty security-support-ended.deb11 file. * check-support-status.in: set DEB_NEXT_VER_ID=11. debian-security-support (2019.10.31) unstable; urgency=medium . * Mark nodejs only suitable for trusted content. Closes: #931376. * Add nasm-mozilla and nodejs-mozilla to security-support-ended.deb8 and security-support-ended.deb9 as they are only provided as build dependency for Firefox/Thunderbird >= 68. Closes: #943365. * Bump standards version to 4.4.1, no changes needed. debian-security-support (2019.06.13) unstable; urgency=medium . [ Emilio Pozuelo Monfort ] * Add mysql-5.5 to security-support-ended.deb8. . * Translation updates: - Danish, thanks to Joe Dalton. Closes: #929941. - Czech, thanks to Michal Simunek. Closes: #930384. - this means all included translations are uptodate, yay! debian-security-support (2019.06.01) unstable; urgency=medium . * New translations: - Swedish, thanks to Andreas Ronnquist. Closes: #929401. - Dutch, thanks to Frans Spiesschaert. Closes: #929809. * Translation updates: - Russian, thanks to Yuri Kozlov. Closes: #929384. - Japanese, thanks to Shinichi Sakata and victory. - Portuguese, thanks to Américo Monteiro. Closes: #929404. - Polish, thanks to Łukasz Dulny. - Brasilian Portuguese, thanks to Adriano Rafael Gomes. Closes: #929765. - Italian, thanks to Beatrice Torracca. Closes: #929812. debian-security-support (2019.05.22) unstable; urgency=medium . * Mark jasperreports as end-of-life in Stretch as well. Closes: #884907. * Explain in comments to check-support-status.hook and postinst that code needs to be present in both files as the hook could be run before postinst. #928968 has a longer explanation why and is used for tracking that this will be properly fixed eventually. debian-security-support (2019.05.14) unstable; urgency=medium . * check-support-status.in: don't fail if security-support-ended.debX does not exist for the release d-s-s is running on. Closes: #927450. * postinst and check-support-status.hook: add code to create the d-s-s user's home directory if it doesn't exist, as schroot copies /etc/passwd from the host without creating the user home directories. Closes: #928204. Thanks to Santiago Vila. * d/control: set myself as maintainer to formally adopt the package and drop Christoph Biedl on his request. Many thanks for creating this package and maintaining it, Christoph! debian-security-support (2019.04.25) unstable; urgency=medium . * Team upload. . [ Moritz Muehlenhoff ] * Remove mozjs17 from security-support-limited, long gone, add mozjs52 and mozjs60 instead. * Remove webkitgtk from security-support-limited, covered by security support now. * Remove xulrunner from security-support-limited, long gone. * Mark binutils as not covered by security support. . [ Holger Levsen ] * check-support-status.in: set latest supported version to Debian 10 / Buster. Closes: #927450. * Add empty security-support-ended.deb10 file. * Drop security-support-ended.deb6 as we don't support Squeeze anymore. debian-security-support (2019.02.02) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark spice-xpi as end-of-life for Jessie. * Add edk2 to security-support-ended.deb8 * Add robocode to security-support-ended.deb8 . [ Salvatore Bonaccorso ] * Mark qtwebengine-opensource-src as limited-support. Thanks to Benjamin Barenblat (Closes: #926179) dehydrated (0.6.2-2+deb10u1~deb9u1) stretch; urgency=medium . * Backport 0.6.2-2 from buster into stretch. + In the process, retain the letsencrypt.sh compatibility binaries. + Also, revert debhelper compat bump and Multi-Arch field. + Add a NEWS item regarding the default ACME endpoint change. . dehydrated (0.6.2-2+deb10u1) buster; urgency=medium . * Add three more patches from upstream. Fixing the following bug: + Fixed fetching of account information. + Followup fixes for account ID handling, and APIv1 compatibility. . dehydrated (0.6.2-2) unstable; urgency=medium . * Add a number of patches from upstream. Fixing the following bugs: + HTTP/2 support, where header names are lowercase + Avoid over matching, checking for the Replay-Nonce header only at BOL + A bug causing deletion of domains.txt when incorrect parameters are used + Document the DOMAINS_D config option + Impoent POST-as-GET, for the upcoming change in LE's API + Document PRIVATE_KEY_ROLLOVER per-cert config option * d/control: bump Standards-Version to 4.3.0, no changes needed. . dehydrated (0.6.2-1) unstable; urgency=medium . * New upstream release 0.6.2. * Remove all patches - applied upstream. * d/control: update Homepage field. . dehydrated (0.6.1-2) unstable; urgency=medium . * Add patch from upstream to not duplicate the intermediate cert in the fullchain.pem. Closes: #896697 * d/control: + Bump Standards-Version to 4.1.4, no changes needed. + Update maintainer address to use the tracker.debian.org team. . dehydrated (0.6.1-1) unstable; urgency=low . * New upstream release 0.6.1. Note: this release changes the default CA to use the ACMEv2 endpoint of Let's Encrypt (previously it used the ACMEv1 endpoint). Notable news of this realease is the support for wildcard certificates. * d/patches: - Remove patch present in the new upstream release. - Add patch from upstream to have the example config reflect reality. * d/copyright: Update. * d/dehydrated.manapges: Update the path. * Add a closes: to the previous changelog entry. . dehydrated (0.5.0-2) unstable; urgency=medium . * Add patch from upstream to follow redirects on HTTP GET. This fixes an error when creating the fullchain.pem after the LE API introduced a new redirect. Closes: #892723 . dehydrated (0.5.0-1) unstable; urgency=medium . * New upstream release 0.5.0. * d/control: + Mark dehydrated as Multi-Arch:foreign. + Bump Standards-Version to 4.1.3, no changes needed. + Set Rules-Requires-Root:no. + Change Vcs-* fields to point to Salsa. + Change homepage to https://dehydrated.de. * d/rules: + Remove simple get-orig-source target just calling uscan. + Avoid gz-compressing the example config file. * d/copyright: update. * Bump debhelper compat version to 11. * Drop lintian override for a false positive now fixed in lintian. * Ship the new manpage from upstream instead of our auto-generated one. . dehydrated (0.4.0-2) unstable; urgency=medium . * Upload to unstable. . dehydrated (0.4.0-1) experimental; urgency=medium . * Import new upstream release 0.4.0. * Drop all Debian patches. They are either applied upstream, or related to some past migration we're not dropping support for. * Drop letsencrypt.sh and letsencrypt.sh-apache2 transitional packages. dehydrated (0.6.2-2+deb10u1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.6.2-2+deb10u1) buster; urgency=medium . * Add three more patches from upstream. Fixing the following bug: + Fixed fetching of account information. Closes: #934039 + Followup fixes for account ID handling, and APIv1 compatibility. dehydrated (0.6.2-2) unstable; urgency=medium . * Add a number of patches from upstream. Fixing the following bugs: + HTTP/2 support, where header names are lowercase + Avoid over matching, checking for the Replay-Nonce header only at BOL + A bug causing deletion of domains.txt when incorrect parameters are used + Document the DOMAINS_D config option + Impoent POST-as-GET, for the upcoming change in LE's API + Document PRIVATE_KEY_ROLLOVER per-cert config option * d/control: bump Standards-Version to 4.3.0, no changes needed. dehydrated (0.6.2-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.6.2-2) unstable; urgency=medium . * Add a number of patches from upstream. Fixing the following bugs: + HTTP/2 support, where header names are lowercase + Avoid over matching, checking for the Replay-Nonce header only at BOL + A bug causing deletion of domains.txt when incorrect parameters are used + Document the DOMAINS_D config option + Impoent POST-as-GET, for the upcoming change in LE's API + Document PRIVATE_KEY_ROLLOVER per-cert config option * d/control: bump Standards-Version to 4.3.0, no changes needed. dehydrated (0.6.2-1) unstable; urgency=medium . * New upstream release 0.6.2. * Remove all patches - applied upstream. * d/control: update Homepage field. dehydrated (0.6.2-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.6.2-1) unstable; urgency=medium . * New upstream release 0.6.2. * Remove all patches - applied upstream. * d/control: update Homepage field. dehydrated (0.6.1-2) unstable; urgency=medium . * Add patch from upstream to not duplicate the intermediate cert in the fullchain.pem. Closes: #896697 * d/control: + Bump Standards-Version to 4.1.4, no changes needed. + Update maintainer address to use the tracker.debian.org team. dehydrated (0.6.1-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.6.1-2) unstable; urgency=medium . * Add patch from upstream to not duplicate the intermediate cert in the fullchain.pem. Closes: #896697 * d/control: + Bump Standards-Version to 4.1.4, no changes needed. + Update maintainer address to use the tracker.debian.org team. dehydrated (0.6.1-1) unstable; urgency=low . * New upstream release 0.6.1. Note: this release changes the default CA to use the ACMEv2 endpoint of Let's Encrypt (previously it used the ACMEv1 endpoint). Notable news of this realease is the support for wildcard certificates. * d/patches: - Remove patch present in the new upstream release. - Add patch from upstream to have the example config reflect reality. * d/copyright: Update. * d/dehydrated.manapges: Update the path. * Add a closes: to the previous changelog entry. dehydrated (0.6.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.6.1-1) unstable; urgency=low . * New upstream release 0.6.1. Note: this release changes the default CA to use the ACMEv2 endpoint of Let's Encrypt (previously it used the ACMEv1 endpoint). Notable news of this realease is the support for wildcard certificates. * d/patches: - Remove patch present in the new upstream release. - Add patch from upstream to have the example config reflect reality. * d/copyright: Update. * d/dehydrated.manapges: Update the path. * Add a closes: to the previous changelog entry. dehydrated (0.5.0-2) unstable; urgency=medium . * Add patch from upstream to follow redirects on HTTP GET. This fixes an error when creating the fullchain.pem after the LE API introduced a new redirect. dehydrated (0.5.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.5.0-2) unstable; urgency=medium . * Add patch from upstream to follow redirects on HTTP GET. This fixes an error when creating the fullchain.pem after the LE API introduced a new redirect. dehydrated (0.5.0-1) unstable; urgency=medium . * New upstream release 0.5.0. * d/control: + Mark dehydrated as Multi-Arch:foreign. + Bump Standards-Version to 4.1.3, no changes needed. + Set Rules-Requires-Root:no. + Change Vcs-* fields to point to Salsa. + Change homepage to https://dehydrated.de. * d/rules: + Remove simple get-orig-source target just calling uscan. + Avoid gz-compressing the example config file. * d/copyright: update. * Bump debhelper compat version to 11. * Drop lintian override for a false positive now fixed in lintian. * Ship the new manpage from upstream instead of our auto-generated one. dehydrated (0.5.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.5.0-1) unstable; urgency=medium . * New upstream release 0.5.0. * d/control: + Mark dehydrated as Multi-Arch:foreign. + Bump Standards-Version to 4.1.3, no changes needed. + Set Rules-Requires-Root:no. + Change Vcs-* fields to point to Salsa. + Change homepage to https://dehydrated.de. * d/rules: + Remove simple get-orig-source target just calling uscan. + Avoid gz-compressing the example config file. * d/copyright: update. * Bump debhelper compat version to 11. * Drop lintian override for a false positive now fixed in lintian. * Ship the new manpage from upstream instead of our auto-generated one. dehydrated (0.4.0-2) unstable; urgency=medium . * Upload to unstable. dehydrated (0.4.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . dehydrated (0.4.0-2) unstable; urgency=medium . * Upload to unstable. . dehydrated (0.4.0-1) experimental; urgency=medium . * Import new upstream release 0.4.0. * Drop all Debian patches. They are either applied upstream, or related to some past migration we're not dropping support for. * Drop letsencrypt.sh and letsencrypt.sh-apache2 transitional packages. dehydrated (0.4.0-1) experimental; urgency=medium . * Import new upstream release 0.4.0. * Drop all Debian patches. They are either applied upstream, or related to some past migration we're not dropping support for. * Drop letsencrypt.sh and letsencrypt.sh-apache2 transitional packages. dehydrated (0.3.1-3+deb9u3) stretch; urgency=medium . * Add patch from upstream to fix cert renewal when using HTTP/2. Closes: #941414 dispmua (1.8.4.6-1~deb9u1) stretch; urgency=medium . * Team upload * Backport to Stretch in order to make dispmua compatible with Thunderbird 68.x again. (Closes: #943584) * Revert to compat level 10. dispmua (1.8.2-1) unstable; urgency=medium . * [1834f9b] New upstream version 1.8.2 * [d3aed37] switch to debhelper 10 * [32068a7] bump up Standards-Version to 4.3.0 * [c6a2c9d] change VCS fields to new git location (salsa) dpdk (16.11.11-1+deb9u1) stretch; urgency=medium . * New upstream version 16.11.11 * https://mails.dpdk.org/archives/announce/2019-November/000297.html * Fixes CVE-2019-14818 * Fixes vhost regression introduced by 16.11.10 and CVE fix * Drop patches merged in 16.11.10 dpdk (16.11.9-1+deb9u2) stretch-security; urgency=high . * Backport patches to fix CVE-2019-14818. A denial of service security issue has been found in the Vhost PMD. e2fsprogs (1.43.4-2+deb9u1) stretch-security; urgency=high . * Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139) exim4 (4.89-2+deb9u6) stretch-security; urgency=high . * 85_01-string.c-do-not-interpret-before-0-CVE-2019-15846.patch Fix SNI related buffer overflow. CVE-2019-15846 expat (2.2.0-2+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * xmlparse.c: Deny internal entities closing the doctype (CVE-2019-15903) (Closes: #939394) faad2 (2.8.0~cvs20161113-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-20357, CVE-2018-20359, CVE-2018-20197, CVE-2018-20194, CVE-2018-19503, CVE-2018-20361: multiple memory corruption vulnerabilities caused by insufficiently sanitized frequency band borders. * CVE-2018-20358, CVE-2018-20362, CVE-2018-19504, CVE-2018-20195, CVE-2018-20198: multiple memory corruption vulnerabilities caused by syntax element inconsistencies (implicit channel mapping reconfiguration). * CVE-2019-15296: buffer overflow in faad_resetbits. * CVE-2018-19502: heap based buffer overfow in excluded_channels (libfaad/syntax.c) (Closes: #914641). fence-agents (4.0.25-1+deb9u2) stretch; urgency=medium . * Update patch for removing fence_amt_ws (Closes: #934519) fig2dev (1:3.2.6a-2+deb9u3) stretch; urgency=medium . * 41_CVE-2019-19555: Allow Fig v2 text strings ending with multiple ^A. This fixes CVE-2019-19555 (Closes: #946176). file (1:5.30-1+deb9u3) stretch-security; urgency=high . * Cherry-pick commit to restrict the number of CDF_VECTOR elements. Closes: #942830 [CVE-2019-18218] file-roller (3.22.3-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Path traversal vulnerability (CVE-2019-16680) firefox-esr (68.4.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fix for mfsa2020-03, also known as CVE-2019-17026. firefox-esr (68.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2020-02, also known as: CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17021, CVE-2019-17022, CVE-2019-17024. . * debian/rules: Don't build with --compress-debug-sections on jessie. * debian/rules: Use sourcestamp.txt for MOZ_BUILD_DATE. Closes: #946193. . * sourcestamp.txt: Fill with the missing info. * intl/icu_sources_data.py: Don't build ICU in parallel. * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around older GCC ICEs on arm. (Thanks Emilio Pozuelo Monfort) firefox-esr (68.4.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release. * Fixes for mfsa2020-02, also known as: CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17021, CVE-2019-17022, CVE-2019-17024. . * debian/rules: Don't build with --compress-debug-sections on jessie. * debian/rules: Use sourcestamp.txt for MOZ_BUILD_DATE. Closes: #946193. . * sourcestamp.txt: Fill with the missing info. * intl/icu_sources_data.py: Don't build ICU in parallel. * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around older GCC ICEs on arm. (Thanks Emilio Pozuelo Monfort) firefox-esr (68.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2020-02, also known as: CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17021, CVE-2019-17022, CVE-2019-17024. . * debian/rules: Don't build with --compress-debug-sections on jessie. * debian/rules: Use sourcestamp.txt for MOZ_BUILD_DATE. Closes: #946193. . * sourcestamp.txt: Fill with the missing info. firefox-esr (68.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-37, also known as: CVE-2019-17008, CVE-2019-11745, CVE-2019-17010, CVE-2019-17005, CVE-2019-17011, CVE-2019-17012. . * debian/control*: Bump nss build dependencies. * debian/rules, debian/control.in: - Build with nodejs-mozilla on jessie and stretch. - Build with nasm-mozilla on jessie and stretch. - Don't build with system libvpx on stretch. (Thanks Emilio Pozuelo Monfort) firefox-esr (68.3.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-37, also known as: CVE-2019-17008, CVE-2019-11745, CVE-2019-17010, CVE-2019-17005, CVE-2019-17011, CVE-2019-17012. . * debian/control*: Bump nss build dependencies. * debian/rules, debian/control.in: - Build with nodejs-mozilla on jessie and stretch. - Build with nasm-mozilla on jessie and stretch. - Don't build with system libvpx on stretch. (Thanks Emilio Pozuelo Monfort) firefox-esr (68.3.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-37, also known as: CVE-2019-17008, CVE-2019-11745, CVE-2019-17010, CVE-2019-17005, CVE-2019-17011, CVE-2019-17012. . * debian/control.in: Bump nss build dependencies. * intl/icu_sources_data.py: - Revert change from 68.2.0esr-1~deb9u2. - Don't build ICU in parallel. * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around GCC ICEs on arm. (Thanks Emilio Pozuelo Monfort) firefox-esr (68.2.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-33, also known as: CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764. firefox-esr (68.2.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-33, also known as: CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764. . firefox-esr (68.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-26, also known as CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752, CVE-2019-9812, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735, CVE-2019-11740. . * debian/upstream.mk: Read source repo and revision from json when getting upstream info. Instead of the .txt file that doesn't exist as of 69. * debian/control*: - Remove unused build dependency against python-ply. - Remove python-minimal build dependency. All supported versions of Debian have a new enough version. * debian/l10n/gen, debian/latest_nightly.py, debian/rules, debian/symbols.mk, debian/upstream.mk, debian/watch: Use explicit python2.7 instead of python. . firefox-esr (68.0.2esr-1) unstable; urgency=medium . * New upstream ESR release. . firefox (68.0.2-3) unstable; urgency=medium . * debian/control.in: Take source package name from preprocessing. . * build/moz.configure/old.configure: Avoid race condition creating old-configure. bz#1574761. * dom/media/systemservices/CamerasChild.cpp, dom/media/systemservices/CamerasParent.cpp, dom/media/systemservices/VideoEngine.cpp, dom/media/webrtc/MediaEngineRemoteVideoSource.cpp: Don't use __PRETTY_FUNCTION__ or __FUNCTION__ as format strings. bz#1531309. Closes: #925680. . firefox (68.0.2-2) unstable; urgency=medium . * debian/rules: Fix MOZ_APP_REMOTINGNAME. Upstream build system changes made the config.status editing trick stop working. Export the variable for configure to pick it instead. Closes: #932256 . firefox (68.0.2-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-24, also known as CVE-2019-11733. . * debian/control*, debian/rules: Don't build against system vpx >= 1.8.0. It has API changes that cause FTBFS. . firefox (68.0.1-2) unstable; urgency=medium . * debian/rules: Work around https://github.com/rust-lang/cargo/issues/7147. . firefox (68.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/rules: - Hook stamps/dh_install-l10n to override_dh_install-indep rather than binary-indep. - Pass make job server down through dh_auto_build. * debian/rules, debian/dh: Wrap dh to ensure debian/rules is invoked with parallelism. . firefox (68.0-3) unstable; urgency=medium . * debian/browser.README.Debian.in: Fix a reference to iceweasel in README.Debian. Thanks Edward Betts. * debian/rules: - Only exclude "-g" from dpkg-buildflags output. All the other flags that used to be excluded either already match upstream or add reproducibility. - Don't unexpectedly reset LDFLAGS. - [firefox-esr] Remove iceweasel transitional packages on bullseye. - Disable dh_strip_nondeterminism. Upstream build system already avoids non-determinism it would strip, so there is no need for it further modifying files. - Avoid arch:all builds building arch:any stuff. - Move AUTOCONF_DIRS cleanup after dh_clean. - Add rust flags to improve reproducibility. - Only touch or remove configure when it wasn't there to begin with. - Call configure using its full path. - Factor common configure arguments. - Build langpacks with --disable-compile-environment, and pass less configure arguments. - Build each langpack from a separate build directory. This means time wasted running configure more times, but all locales can now be built in parallel. * debian/symbols.mk, debian/symbols.apt.conf, debian/symbols.sources.list: Miscellaneous changes to symbols download script. * debian/make.mk: Exclude symbols.mk variables from dump output. * debian/browser.mozconfig.in: Remove redundant --prefix=/usr. * debian/control.in, debian/rules, debian/symbols.mk, debian/upstream.mk: Remove packaging scripts compatibility with Wheezy. . * moz.configure: Only add confvars.sh as a dependency to config.status when it exists. bz#1560340. . firefox (68.0-2) unstable; urgency=medium . * debian/rules, debian/upstream.mk: Account for next Debian release. * debian/rules, debian/control: Build against system sqlite again. . * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around GCC ICE on mips*, i386 and s390x. Closes: #931757 * python/mozbuild/mozbuild/action/langpack_manifest.py: Use build id as langpack version for reproducibility. bz#1565504. . firefox (68.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-21, also known as: CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-11718, CVE-2019-11720, CVE-2019-11721, CVE-2019-11730, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11710, CVE-2019-11709. . * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build dependencies. Remove Build-Conflicts with nss 3.44-1, since we now build-depend on a more recent version. * debian/rules, debian/control: Don't build against system sqlite, as Debian doesn't have the required version yet. * [firefox-esr] debian/l10n/browser-l10n.control*, debian/l10n/gen: Don't generate iceweasel l10n transition packages for locales that were never offered with iceweasel. * debian/control, debian/l10n/browser-l10n.control.in: Add transition dependencies for Bengali l10n. There is now only one Bengali l10n package instead of two. * debian/rules: Disable JIT at build time on mips because it fails to build. . * build/gyp.mozbuild: Revert patch that disables libyuv assembly on mips64. It apparently compiles, now. . firefox (67.0.4-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-19, also known as CVE-2019-11708. . firefox (67.0.3-2) unstable; urgency=medium . * python/mozbuild/mozbuild/action/node.py: Attempt to work around make issue happening on arch: all buildd. . firefox (67.0.3-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-18, also known as CVE-2019-11707. . firefox (67.0.2-1) unstable; urgency=medium . * New upstream release. . firefox (67.0.1-1) unstable; urgency=medium . * New upstream release. . firefox (67.0-4) unstable; urgency=medium . * debian/rules: Work around FTBFS on mips* by disabling webrtc Build fails because of missing configurations for mips*. * debian/control*: Build-Conflicts with libnss3-dev 2:3.44-1. Closes: #929846. . * js/src/jit/mips32/MacroAssembler-mips32-inl.h: Fix FTBFS on mips/mipsel. bz#1556197. . firefox (67.0-3) unstable; urgency=medium . * media/webrtc/trunk/webrtc/system_wrappers/source/cpu_features.cc: Remove WebRtc_GetCPUFeaturesARM from cpu_features.cc. It is already in cpu_features_linux.c (and is not in cpu_features.cc in webrtc upstream). Fixes FTBFS on armhf. bz#1523162. . firefox (67.0-2) unstable; urgency=medium . * debian/extra-stuff/addonsInfo.jsm: - Avoid running -dumps-addons-info without a running Firefox counting as a crash. - Support addons in resource:// locations in -dump-addons-info . * js/src/wasm/WasmSignalHandlers.cpp: Include struct definitions for user_vfp and user_vfp_exc. Fixes FTBFS on armhf. bz#1526653. * js/src/jit/mips*/MacroAssembler-mips*-inl.h, js/src/jit/mips*/Trampoline-mips*.cpp: Fix functions: branchTestBigInt, negPtr, generateVMWrapper on MIPS. bz#1544631. * toolkit/modules/sessionstore/PrivacyFilter.jsm: Update and harden form data filtering for privacy to account for no data being passed in. bz#1553413. . firefox (67.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2019-13, also known as: CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-9821, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-7317, CVE-2019-11695, CVE-2019-11696, CVE-2019-11697, CVE-2019-11698, CVE-2019-11699, CVE-2019-11701, CVE-2019-9814, CVE-2019-9800. * Upload to experimental because the required cbindgen is not available in unstable. . * debian/control*: Bump nspr, sqlite, rustc, cargo and cbindgen build dependencies. * debian/extra-stuff/addonsInfo.*, debian/extra-stuff/moz.build, debian/installer/package-manifest.browser, debian/rules: Modernize addonsInfo per bz#1431533, bz#1432992, bz#1514594, bz#1524688, etc. . firefox (66.0.5-1) unstable; urgency=medium . * New upstream release. - Additional fixes for addon signature validation. . firefox (66.0.4-1) unstable; urgency=medium . * New upstream release. - Fixes issues with addon signature validation. Closes: #928417. Note: this didn't affect addons installed via Debian packages. . firefox (66.0.1-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-09, also known as: CVE-2019-9810, CVE-2019-9813. . * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build dependencies. . firefox (66.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-07, also known as: CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796, CVE-2019-9797, CVE-2019-9799, CVE-2019-9802, CVE-2019-9803, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9809, CVE-2019-9808, CVE-2019-9789, CVE-2019-9788. . * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google API key configure options. * debian/control*: Add nasm build dependency on amd64 and i386. . firefox (65.0.1-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-04, also known as: CVE-2018-18356, CVE-2019-5795, CVE-2018-18511. . * debian/rules, debian/upstream.mk: Manually set the update channel. Closes: #921381, #921121, #921654. * debian/rules: Build with -mfp32 on mips and mipsel. This should fix the FTBFS. . firefox (65.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-01, also known as: CVE-2018-18500, CVE-2018-18503, CVE-2018-18504, CVE-2018-18505, CVE-2018-18506, CVE-2018-18502, CVE-2018-18501. . * debian/control*: Bump nss, sqlite, rustc, cargo and cbindgen build dependencies. * debian/browser.install.in: Install libmozwayland.so. . firefox (64.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-29, also known as: CVE-2018-12407, CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18495, CVE-2018-18496, CVE-2018-18497, CVE-2018-18498, CVE-2018-12406, CVE-2018-12405. . * debian/rules, debian/browser.install.in: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Disable debug symbols on 32-bits architectures, that requires too much memory. * debian/browser.mozconfig.in: - Remove --enable-pie option, it's the default, now. - Remove --disable-nodejs now that it's required. * debian/control*: - Bump rustc, cargo, cbindgen, nss and sqlite dependencies. - Add nodejs build dependency. * debian/browser-symbolic.svg.in: Import the watermark used for the symbolic icon in the debian/ directory. . firefox (63.0.3-1) unstable; urgency=medium . * New upstream release. . * debian/control*: Build depend on unversioned clang/llvm. Closes: #912802. * debian/rules: Use embedded libevent in backports. Closes: #910397. * debian/rules: Use GNU gold linker on i386 because BFD ld fails to link libxul.so (memory exhausted). . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. * media/libaom/moz.build: Use NEON_FLAGS instead of VPX_ASFLAGS for libaom neon code. * gfx/cairo/libpixman/src/pixman-vmx.c: Protect #include in pixman-vmx.c like in other pixman-*.c files . firefox (63.0.1-1) unstable; urgency=medium . * New upstream release. * debian/google.key: Use new Google API key, courtesy of Francois Marier. . firefox (63.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-26, also known as: CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, CVE-2018-12397, CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402, CVE-2018-12403, CVE-2018-12388, CVE-2018-12390. . * debian/control*: - Bump nss dependency. - Add build dependency on cbindgen. * debian/browser.mozconfig.in: Disable nodejs until it's actually necessary. * debian/rules: Add -Wl,--compress-debug-sections=zlib to LDFLAGS to work around elfhack failing with unstripped binaries larger than 2GiB. . firefox (62.0.3-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-24, also known as: CVE-2018-12386, CVE-2018-12387. . * debian/extra-stuff/addonsInfo.js: Fixes to work with recent versions of Firefox. Closes: #909056. * debian/control*, debian/browser.mozconfig.in: Build ALSA support. Closes: #864987, #900062, #908349 . firefox (62.0.2-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-22, also known as CVE-2018-12385. * Ignore locale change events for the search service on shutdown. bz#1489820. Closes: #908932. . * debian/control*: - Remove the sqlite and nss dependencies when not building against the system libraries. - Enforce nss, nspr and sqlite dependencies to the same versions as build dependencies. There are subtle non-ABI differences between versions that Firefox might be relying on (be it features, behavior changes/fixes, etc.) and can cause subtle problems when older versions are used. Closes: #908225, #908520. - Add a suggestion for pulseaudio. * debian/rules, debian/control: Add libavcodec-extra* packages to the list of recommends. Closes: #909130 . * js/src/jit/BaselineJIT.h: Disable baseline JIT when SSE2 is not supported at runtime. bz#1492064. Closes: #908396, #908449. * gfx/2d/Swizzle.cpp: Use Swizzle fallback when SSE2 is not supported. bz#1492065. Closes: #877445. . firefox (62.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-20, also known as: CVE-2018-12377, CVE-2018-12378, CVE-2018-12383, CVE-2018-12375, CVE-2018-12376. . * debian/control*: - Bump nss and sqlite build dependencies. - Build depend on llvm/clang 6.0 for buster. Closes: #906175. * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove build dependency on libbz2-dev. It's not used anymore. * debian/noinstall.in: Remove the dictionaries directory, not part of the packaged Firefox anymore. * debian/l10n/gen: Use iso-codes json data instead of XML when present. Closes: #907611. . * widget/gtk/nsAppShell.cpp: Use remoting name for call to gdk_set_program_class. Closes: #907574. . firefox (61.0.1-1) unstable; urgency=medium . * New upstream release. . firefox (61.0-2) unstable; urgency=medium . * debian/browser.mozconfig.in, debian/control*, debian/rules: Remove build dependency on system libhunspell. Using system hunspell lacks features required by Firefox. Next version of Firefox doesn't allow to build against system hunspell anyways. Closes: #900469. * debian/browser.links.in, debian/rules, debian/vendor.js: Use the spellchecker.dictionary_path pref to set the hunspell directory. * debian/browser.mozconfig.in: Allow unsigned addons in app and system scopes. * debian/rules: Work around the effect the above has on the --{enable,with}-system-* check. * debian/control*: Remove old conflicts. Thanks Sylvestre Ledru. Closes: #882956. * debian/l10n/recommends, debian/l10n/browser-l10n.control, debian/control: Update dictionary recommendations, following these rules: - Transitional myspell packages are not listed except when stable doesn't have the corresponding hunspell package. - Both hunspell and myspell packages are listed if they are different. Closes: #813832, #825843 * debian/copyright, debian/rules: Refer to /usr/share/common-licenses/MPL* instead of installing our own copy. Closes: #704303. * debian/make.mk: Use the same code as dump target for the dump-% target. * debian/control*, debian/rules: Add Recommends on all supported libavcodec libraries for h264 playback. Closes: #901600. . * toolkit/modules/AppConstants.jsm, toolkit/modules/moz.build, toolkit/moz.configure, toolkit/mozapps/extensions/internal/XPIInstall.jsm, toolkit/mozapps/extensions/content/extensions.js, toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Change how addon signature requirement relaxation is done. Closes: #899390. . firefox (61.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-15, also known as: CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12358, CVE-2018-12362, CVE-2018-5156, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12371, CVE-2018-12366, CVE-2018-12367, CVE-2018-12369, CVE-2018-12370, CVE-2018-5186, CVE-2018-5187, CVE-2018-5188. . * debian/control*: - Bump nss and sqlite build dependencies. - Add a build dependency on python3. * debian/browser.install.in: Adjust to upstream changes. * debian/vendor.js: Relax the addon signature requirements. . * toolkit/mozapps/extensions/content/extensions.js, toolkit/mozapps/extensions/internal/XPIDatabase.jsm: Allow to relax the addon signature requirements. firefox-esr (68.2.0esr-1~deb9u2) stretch-security; urgency=medium . * Don't set the NASM make variable on architectures without nasm, fixes FTBFS on !x86. * Output icu build log to stdout rather than to a file. firefox-esr (68.2.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-33, also known as: CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764. firefox-esr (68.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-26, also known as CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752, CVE-2019-9812, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735, CVE-2019-11740. . * debian/upstream.mk: Read source repo and revision from json when getting upstream info. Instead of the .txt file that doesn't exist as of 69. * debian/control*: - Remove unused build dependency against python-ply. - Remove python-minimal build dependency. All supported versions of Debian have a new enough version. * debian/l10n/gen, debian/latest_nightly.py, debian/rules, debian/symbols.mk, debian/upstream.mk, debian/watch: Use explicit python2.7 instead of python. firefox-esr (68.0.2esr-1) unstable; urgency=medium . * New upstream ESR release. firefox-esr (60.9.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release. Fixes for mfsa2019-27, also known as: CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752, CVE-2019-9812, CVE-2019-11743, CVE-2019-11740. firefox-esr (60.9.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. Fixes for mfsa2019-27, also known as: CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11752, CVE-2019-9812, CVE-2019-11743, CVE-2019-11740. firefox-esr (60.8.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-22, also known as: CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11729, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11730, CVE-2019-11709. firefox-esr (60.8.0esr-1~deb10u1) buster-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-22, also known as: CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11729, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11730, CVE-2019-11709. firefox-esr (60.8.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-22, also known as: CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11729, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11730, CVE-2019-11709. firefox-esr (60.7.2esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa219-19, also known as CVE-2019-11708. firefox-esr (60.7.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa219-19, also known as CVE-2019-11708. firefox-esr (60.7.1esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-18, also known as CVE-2019-11707. flightcrew (0.7.2+dfsg-9+deb9u1) stretch; urgency=medium . * Fix CVE-2019-13241 for stretch release. * Fix CVE-2019-13032 for stretch release. Closes: #931246 freeimage (3.17.0+ds1-5+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2019-12213: stack exhaustion caused by unwanted recursion in ReadThumbnail (Closes: #929597). * CVE-2019-12211: heap buffer overflow caused by invalid memcpy in PluginTIFF. freetype (2.6.3-3.2+deb9u1) stretch; urgency=medium . * Add an upstream patch to correctly handle deltas in TrueType GX fonts (Closes: #929982). This patch allows variable hinted fonts to render correctly in Chromium and Firefox. ghostscript (9.26a~dfsg-0+deb9u6) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * remove .forceput from /.charkeys (CVE-2019-14869) ghostscript (9.26a~dfsg-0+deb9u5) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * make .forceput inaccessible (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813) * Issue an error message if an ExtGstate is not found * PDF interpreter - review .forceput security (CVE-2019-14817) git (1:2.11.0-3+deb9u5) stretch-security; urgency=high . * Apply patches addressing the security issues CVE-2019-1348, CVE-2019-1349, CVE-2019-1352, CVE-2019-1353, and CVE-2019-1387. . Credit for finding these vulnerabilities goes to Microsoft Security Response Center, in particular to Nicolas Joly. Fixes were provided by Jeff King and Johannes Schindelin with help from Garima Singh. . * Reject setting "update = !command" in .gitmodules. This makes the behavior better match Git 2.24.1 which made the same change to address the arbitrary code execution issue CVE-2019-19604 (which does not affect Git versions before 2.20.0). . Also reject "update = !command" in fsck. This ensures that if Git is run as a server with "transfer.fsckObjects" enabled, it cannot be used to attack clients vulnerable to CVE-2019-19604. . Credit for finding this vulnerability goes to Joern Schneeweisz from GitLab. glib2.0 (2.50.3-2+deb9u2) stretch; urgency=medium . * Team upload * d/p/credentials-Invalid-Linux-struct-ucred-means-no-informati.patch, d/p/GDBus-prefer-getsockopt-style-credentials-passing-APIs.patch: Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus, backported from upstream 2.62.x branch (Closes: #941018) * d/control.in: Update Vcs-Git, Vcs-Browser gnustep-base (1.24.9-3.1+deb9u1) stretch; urgency=medium . * debian/patches/gdomap-udp-amplification.patch: New; fix UDP amplification vulnerability. Thanks to Alan Jenkins. * debian/patches/series: Update. * debian/gbp.conf: New file. ibus (1.5.14-3+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * bus: Implement GDBusAuthObserver callback (CVE-2019-14822) intel-microcode (3.20191115.2~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191115.2) unstable; urgency=medium . * Microcode rollbacks (closes: #946515, LP#1854764): sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 * Avoids hangs on warm reboots (cold boots work fine) on HEDT and Xeon processors with signature 0x50654. https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 . intel-microcode (3.20191115.1) unstable; urgency=high . * New upstream microcode datafile 20191115 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 . intel-microcode (3.20191113.1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191113.1) unstable; urgency=high . * New upstream microcode datafile 20191113 + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details Adds microcode update for CFL-S (Coffe Lake Desktop) INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + Updated Microcodes (previously removed): sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 intel-microcode (3.20191115.1) unstable; urgency=high . * New upstream microcode datafile 20191115 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 intel-microcode (3.20191115.1~deb10u1) buster-security; urgency=high . * Rebuild for buster-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191115.1) unstable; urgency=high . * New upstream microcode datafile 20191115 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 . intel-microcode (3.20191113.1~deb10u1) buster-security; urgency=high . * Rebuild for buster-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191113.1) unstable; urgency=high . * New upstream microcode datafile 20191113 + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details Adds microcode update for CFL-S (Coffe Lake Desktop) INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + Updated Microcodes (previously removed): sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 intel-microcode (3.20191115.1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191115.1) unstable; urgency=high . * New upstream microcode datafile 20191115 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 . intel-microcode (3.20191113.1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security (no changes) * Refer to DSA-4565-2 for details. . intel-microcode (3.20191113.1) unstable; urgency=high . * New upstream microcode datafile 20191113 + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details Adds microcode update for CFL-S (Coffe Lake Desktop) INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + Updated Microcodes (previously removed): sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 intel-microcode (3.20191113.1) unstable; urgency=high . * New upstream microcode datafile 20191113 + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details Adds microcode update for CFL-S (Coffe Lake Desktop) INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + Updated Microcodes (previously removed): sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 intel-microcode (3.20191112.1) unstable; urgency=medium . * New upstream microcode datafile 20191112 + SECURITY UPDATE - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135 - Implements TA Indirect Sharing mitigation, and improves the MDS mitigation (VERW) - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271, CVE-2019-11139 - Fixes SGX vulnerabilities and errata (including CVE-2019-0117) + CRITICAL ERRATA FIXES - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except Ice Lake), causes a 0-3% typical perforance hit (can be as bad as 10%). But ensures the processor will actually jump where it should, so don't even *dream* of not applying this fix. - Fixes AVX SHUF* instruction implementation flaw erratum + Removed Microcodes: sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 + New Microcodes: sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992 sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200 sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040 sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752 sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400 sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376 sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816 sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200 sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376 sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + Updated Microcodes (previously removed): sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768 intel-microcode (3.20191112.1~deb10u1) buster-security; urgency=high . * Rebuild for buster-security (no changes) * Refer to DSA-4565-1 for details. . intel-microcode (3.20191112.1) unstable; urgency=medium . * New upstream microcode datafile 20191112 + SECURITY UPDATE - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135 - Implements TA Indirect Sharing mitigation, and improves the MDS mitigation (VERW) - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271, CVE-2019-11139 - Fixes SGX vulnerabilities and errata (including CVE-2019-0117) + CRITICAL ERRATA FIXES - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except Ice Lake), causes a 0-3% typical perforance hit (can be as bad as 10%). But ensures the processor will actually jump where it should, so don't even *dream* of not applying this fix. - Fixes AVX SHUF* instruction implementation flaw erratum + Removed Microcodes: sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 + New Microcodes: sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992 sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200 sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040 sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752 sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400 sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376 sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816 sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200 sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376 sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + Updated Microcodes (previously removed): sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768 . intel-microcode (3.20190918.1) unstable; urgency=medium . * New upstream microcode datafile 20190918 + SECURITY UPDATE *Might* contain mitigations for INTEL-SA-00247 (RAMBleed), given the set of processors being updated. + Updated Microcodes: sig 0x000306d4, pf_mask 0xc0, 2019-06-13, rev 0x002e, size 19456 sig 0x000306f4, pf_mask 0x80, 2019-06-17, rev 0x0016, size 18432 sig 0x00040671, pf_mask 0x22, 2019-06-13, rev 0x0021, size 14336 sig 0x000406f1, pf_mask 0xef, 2019-06-18, rev 0xb000038, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 sig 0x00050657, pf_mask 0xbf, 2019-08-12, rev 0x500002b, size 51200 sig 0x00050662, pf_mask 0x10, 2019-06-17, rev 0x001c, size 32768 sig 0x00050663, pf_mask 0x10, 2019-06-17, rev 0x7000019, size 24576 sig 0x00050664, pf_mask 0x10, 2019-06-17, rev 0xf000017, size 24576 sig 0x00050665, pf_mask 0x10, 2019-06-17, rev 0xe00000f, size 19456 intel-microcode (3.20191112.1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security (no changes) * Refer to DSA-4565-1 for details. . intel-microcode (3.20191112.1) unstable; urgency=medium . * New upstream microcode datafile 20191112 + SECURITY UPDATE - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135 - Implements TA Indirect Sharing mitigation, and improves the MDS mitigation (VERW) - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271, CVE-2019-11139 - Fixes SGX vulnerabilities and errata (including CVE-2019-0117) + CRITICAL ERRATA FIXES - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except Ice Lake), causes a 0-3% typical perforance hit (can be as bad as 10%). But ensures the processor will actually jump where it should, so don't even *dream* of not applying this fix. - Fixes AVX SHUF* instruction implementation flaw erratum + Removed Microcodes: sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 + New Microcodes: sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992 sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200 sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040 sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752 sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400 sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376 sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816 sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200 sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376 sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + Updated Microcodes (previously removed): sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768 . intel-microcode (3.20190918.1) unstable; urgency=medium . * New upstream microcode datafile 20190918 + SECURITY UPDATE *Might* contain mitigations for INTEL-SA-00247 (RAMBleed), given the set of processors being updated. + Updated Microcodes: sig 0x000306d4, pf_mask 0xc0, 2019-06-13, rev 0x002e, size 19456 sig 0x000306f4, pf_mask 0x80, 2019-06-17, rev 0x0016, size 18432 sig 0x00040671, pf_mask 0x22, 2019-06-13, rev 0x0021, size 14336 sig 0x000406f1, pf_mask 0xef, 2019-06-18, rev 0xb000038, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 sig 0x00050657, pf_mask 0xbf, 2019-08-12, rev 0x500002b, size 51200 sig 0x00050662, pf_mask 0x10, 2019-06-17, rev 0x001c, size 32768 sig 0x00050663, pf_mask 0x10, 2019-06-17, rev 0x7000019, size 24576 sig 0x00050664, pf_mask 0x10, 2019-06-17, rev 0xf000017, size 24576 sig 0x00050665, pf_mask 0x10, 2019-06-17, rev 0xe00000f, size 19456 intel-microcode (3.20190918.1) unstable; urgency=medium . * New upstream microcode datafile 20190918 + SECURITY UPDATE *Might* contain mitigations for INTEL-SA-00247 (RAMBleed), given the set of processors being updated. + Updated Microcodes: sig 0x000306d4, pf_mask 0xc0, 2019-06-13, rev 0x002e, size 19456 sig 0x000306f4, pf_mask 0x80, 2019-06-17, rev 0x0016, size 18432 sig 0x00040671, pf_mask 0x22, 2019-06-13, rev 0x0021, size 14336 sig 0x000406f1, pf_mask 0xef, 2019-06-18, rev 0xb000038, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 sig 0x00050657, pf_mask 0xbf, 2019-08-12, rev 0x500002b, size 51200 sig 0x00050662, pf_mask 0x10, 2019-06-17, rev 0x001c, size 32768 sig 0x00050663, pf_mask 0x10, 2019-06-17, rev 0x7000019, size 24576 sig 0x00050664, pf_mask 0x10, 2019-06-17, rev 0xf000017, size 24576 sig 0x00050665, pf_mask 0x10, 2019-06-17, rev 0xe00000f, size 19456 intel-microcode (3.20190618.1) unstable; urgency=medium . * New upstream microcode datafile 20190618 + SECURITY UPDATE Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 for Sandybridge server and Core-X processors + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 * Add some missing (minor) changelog entries to 3.20190514.1 * Reformat 3.20190514.1 changelog entry to match rest of changelog italc (1:3.0.3+dfsg1-1+deb9u1) stretch; urgency=medium . * Porting of libvncserver+libvncclient security patches: - CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. - CVE-2018-15127: heap out-of-bound write vulnerability. - CVE-2018-20019: multiple heap out-of-bound write vulnerabilities. - CVE-2018-20020: heap out-of-bound write vulnerability inside structure in VNC client code. - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. - CVE-2018-20023: Improper Initialization vulnerability in VNC Repeater client code. - CVE-2018-20024: null pointer dereference that can result DoS. - CVE-2018-6307: heap use-after-free vulnerability in server code of file transfer extension. - CVE-2018-20748: incomplete fix for CVE-2018-20019 oob heap writes. - CVE-2018-20749: incomplete fix for CVE-2018-15127 oob heap writes. - CVE-2018-20750: incomplete fix for CVE-2018-15127 oob heap writes. - CVE-2018-15126: heap use-after-free resulting in possible RCE. - CVE-2019-15681: rfbserver: don't leak stack memory to the remote. * debian/control: + Update Vcs-*: fields. Package has been migrated to salsa.debian.org. jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high . * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943. Several deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. ldm (2:2.2.18-2+deb9u1) stretch-security; urgency=medium . * Add patch fixing root access when LDM_USERNAME is unset. libapreq2 (2.13-7~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security . libapreq2 (2.13-7) unstable; urgency=high . * Source-only upload. . libapreq2 (2.13-6) unstable; urgency=high . * 05-nested-multipart-null-dereference.patch: New patch by Max Kellermann, fixes a NULL pointer dereference bug with nested multipart form submission. (Closes: #939937) libapreq2 (2.13-6) unstable; urgency=high . * 05-nested-multipart-null-dereference.patch: New patch by Max Kellermann, fixes a NULL pointer dereference bug with nested multipart form submission. (Closes: #939937) libarchive (3.2.2-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * CVE-2019-18408 Fix use after free in case parts of the archive are corrupt but the archive contains several headers. * Fix CVE-2019-1000019 Out-of-bounds Read vulnerability in 7zip decompression, that can result in a crash (denial of service, CWE-125) * Fix CVE-2019-1000020 vulnerability in ISO9660 parser that can result in DoS by infinite loop (CWE-835) libdate-holidays-de-perl (1.9-1+deb9u4) stretch; urgency=medium . * Mark International Childrens Day (Sep 20th) as a holiday in Thuringia from 2019 on libdatetime-timezone-perl (1:2.09-1+2019c) stretch; urgency=medium . * Update to Olson database version 2019c. This update contains contemporary changes for Fiji and Norfolk Island. libidn (1.33-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix CVE-2017-14062: An integer overflow vulnerability in libidn's Punycode handling (an encoding used to convert Unicode characters to ASCII) which would have allowed remote attackers to cause a denial of service. * Import 0004-Update-Makefile.gdoc-to-use-GDOC_BIN-instead-of-hard.patch from unstable to avoid a FTBFS. - Add textinfo to Build-Deps. libjaxen-java (1.1.6-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Ignore the test failures (Closes: #909216) libofx (1:0.9.10-2+deb9u2) stretch; urgency=medium . * Add upstream patches to fix: - CVE-2019-9656 (Closes: #924350). libole-storage-lite-perl (0.19-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport upstream fix for years >= 2020 being misinterpreted. (Closes: #948668) libparse-win32registry-perl (1.0-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add patch to fix Y2K20 problem. (Closes: #948682) libperl4-corelibs-perl (0.003-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add t/timelocal.t fix for Y2K20 problem in t/timelocal.t. (Closes: #948666) libpst (0.6.59-1+deb9u1) stretch; urgency=medium . * Fix detection of get_current_dir_name and return truncation libreoffice (1:5.2.7-1+deb9u11) stretch-security; urgency=medium . * debian/patches/expand-pyuno-path-separators.diff. debian/patches/construct-final-url-from-parsed-output.diff, debian/patches/an-absolute-uri-is-invalid-input.diff, debian/patches/Improve-check-for-absolute-URI.diff, debian/patches/Improve-check.diff: add from libreoffice-6-3(-0,-1) branch - more fixes... (CVE-2019-9854/CVE-2019-9855) libsixel (1.5.2-2+deb9u1) stretch; urgency=medium . * d/patches/0001-Add-malloc-size-check.patch: fix CVE-2018-19756 * d/patches/0002-assign-default-error-message.patch: fix CVE-2018-19757 * d/patches/0003-add-limitation-to-width-and-height.patch: fix CVE-2018-19759 * CVE-2018-19761 is not security issue * d/patches/0004-size-check.patch: fix CVE-2018-19762 * CVE-2018-19763 is fixed by 0001-Add-malloc-size-check.patch * d/patches/0005-check-error-for-jpeg_read_scanlines.patch: fix CVE-2019-3573 * d/patches/0006-check-number-of-repeat_count.patch: fix CVE-2019-3574 * d/patches/0007-fix-memory-leak.patch: fix CVE-2018-14072, CVE-2018-14073 libsolv (0.6.24-1+deb9u2) stretch; urgency=medium . * debian/patches: + CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based buffer over-read in repodata.c (Closes: #949611). + Trivial rebase of patches 1004, 1006 and 2001. libtest-mocktime-perl (0.17-0+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * New upstream release. - Only change is a fix for a build failure in the year 2020 and later. (Closes: #948669) libtest-mocktime-perl (0.16-1) unstable; urgency=medium . * Team upload. . [ Salvatore Bonaccorso ] * debian/control: Use HTTPS transport protocol for Vcs-Git URI . [ gregor herrmann ] * debian/copyright: change Copyright-Format 1.0 URL to HTTPS. * Remove Rene Mayorga from Uploaders. Thanks for your work! . [ Salvatore Bonaccorso ] * Update Vcs-* headers for switch to salsa.debian.org . [ gregor herrmann ] * New upstream release. * Update years of packaging copyright. * Declare compliance with Debian Policy 4.1.3. * Bump debhelper compatibility level to 10. * Add lintian override for "timestamp in the future". libtimedate-perl (2.3000-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add patch from upstream pull request to fix Y2K20 test failure. (Closes: #948680) libvncserver (0.9.11+dfsg-1.3~deb9u3) stretch; urgency=medium . * Regression update. . * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes: #905786). libvncserver (0.9.11+dfsg-1.3~deb9u2) stretch; urgency=medium . * CVE-2019-15681: + rfbserver: don't leak stack memory to the remote. (Closes: #943793). * debian/patches: + Trivial patch rebasing. + Add 3 use-after-free patches. Resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers. (Closes: #905786). + Add 0002-set-true-color-flag-to-1.patch. Fix connecting to VMware servers. (Closes: #880531). libvpx (1.6.1-3+deb9u2) stretch-security; urgency=medium . * CVE-2019-9232 CVE-2019-9325 CVE-2019-9433 libxslt (1.1.29-2.1+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646) limnoria (2017.01.10-1+deb9u1) stretch; urgency=medium . * Add patch from upstream to fix remote information disclosure and possibly remote code execution in the Math plugin. CVE-2019-19010 linux (4.9.210-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.190 - usb: usbfs: fix double-free of usb memory upon submiturb error - usb: iowarrior: fix deadlock on disconnect - sound: fix a memory leak bug - [x86] mm: Check for pfn instead of page in vmalloc_sync_one() - [x86] mm: Sync also unmappings in vmalloc_sync_all() - mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() - perf record: Fix wrong size in perf_record_mmap for last kernel module - perf db-export: Fix thread__exec_comm() - [s390x] perf record: Fix module size on s390 - usb: yurex: Fix use-after-free in yurex_delete (CVE-2019-19531) - can: peak_usb: fix potential double kfree_skb() - netfilter: nfnetlink: avoid deadlock due to synchronous request_module - mac80211: don't warn about CW params when not using them - hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 - [s390x] qdio: add sanity checks to the fast-requeue path - ALSA: compress: Fix regression on compressed capture streams - ALSA: compress: Prevent bypasses of set_params - ALSA: compress: Don't allow paritial drain operations on capture streams - ALSA: compress: Be more restrictive about when a drain is allowed - perf probe: Avoid calling freeing routine multiple times for same pointer - drbd: dynamically allocate shash descriptor - ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() - scsi: megaraid_sas: fix panic on loading firmware crashdump - [ppc64el] scsi: ibmvfc: fix WARN_ON during event pool release - scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG - tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop - perf/core: Fix creating kernel counters for PMUs that override event->cpu - can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices (CVE-2019-19536) - can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (CVE-2019-19535) - ALSA: firewire: fix a memory leak bug - ALSA: hda - Don't override global PCM hw info flag - mac80211: don't WARN on short WMM parameters from AP - SMB3: Fix deadlock in validate negotiate hits reconnect - smb3: send CAP_DFS capability during session setup - mwifiex: fix 802.11n/WPA detection - iwlwifi: don't unmap as page memory that was mapped as single - scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA - mm/usercopy: use memory range to be accessed for wraparound check - mm/memcontrol.c: fix use after free in mem_cgroup_iter() - bpf: get rid of pure_initcall dependency to enable jits - bpf: restrict access to core bpf sysctls - bpf: add bpf_jit_limit knob to restrict unpriv allocations - ALSA: hda - Fix a memory leak bug - ALSA: hda - Add a generic reboot_notify - ALSA: hda - Let all conexant codec enter D3 when rebooting - HID: holtek: test for sanity of intfdata - HID: hiddev: avoid opening a disconnected device (CVE-2019-19527) - HID: hiddev: do cleanup in failure of opening a device (CVE-2019-19527) - Input: kbtab - sanity check for endpoint type - Input: iforce - add sanity checks - net: usb: pegasus: fix improper read if get_registers() fail - xen/pciback: remove set but not used variable 'old_state' - perf header: Fix divide by zero error if f_header.attr_size==0 - perf header: Fix use of unitialized value warning - libata: zpodd: Fix small read overflow in zpodd_get_mech_type() - scsi: hpsa: correct scsi command status issue after reset - ata: libahci: do not complain in case of deferred probe - [arm64] efi: fix variable 'si' set but not used - [arm64] mm: fix variable 'pud' set but not used - IB/core: Add mitigation for Spectre V1 - IB/mad: Fix use-after-free in ib mad completion handling - ocfs2: remove set but not used variable 'last_hash' - [x86] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' - [x86] staging: comedi: dt3000: Fix rounding up of timer divisor - USB: core: Fix races in character device registration and deregistraion (CVE-2019-19537) - usb: cdc-acm: make sure a refcount is taken early enough (CVE-2019-19530) - USB: CDC: fix sanity checks in CDC union parser - asm-generic: fix -Wtype-limits compiler warnings - bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K - [arm64] compat: Allow single-byte watchpoints on all addresses - Input: psmouse - fix build error of multiple definition - [x86] iommu/amd: Move iommu_init_pci() to .init section - bnx2x: Fix VF's VLAN reconfiguration in reload. - net/packet: fix race in tpacket_snd() - sctp: fix the transport error_count check - xen/netback: Reset nr_frags before freeing skb - net/mlx5e: Only support tx/rx pause setting for port owner - net/mlx5e: Use flow keys dissector to parse packets for ARFS - team: Add vlan tx offload to hw_enc_features - bonding: Add vlan tx offload to hw_enc_features https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.191 - [mips*] kernel: only use i8253 clocksource with periodic clockevent - netfilter: ebtables: fix a memory leak bug in compat - ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks - bonding: Force slave speed check after link state recovery for 802.3ad - can: dev: call netif_carrier_off() in register_candev() - [armhf] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack - perf bench numa: Fix cpu0 binding - can: sja1000: force the string buffer NULL-terminated - can: peak_usb: force the string buffer NULL-terminated - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() - HID: input: fix a4tech horizontal wheel custom usage - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' - [arm64] net: hisilicon: make hip04_tx_reclaim non-reentrant - [arm64] net: hisilicon: fix hip04-xmit never return TX_BUSY - [arm64] net: hisilicon: Fix dma_map_single failed on arm64 - libata: add SG safety checks in SFF pio transfers - [x86] drm/vmwgfx: fix memory leak when too many retries have occurred - perf pmu-events: Fix missing "cpu_clk_unhalted.core" event - HID: wacom: correct misreported EKR ring values - HID: wacom: Correct distance scale for 2nd-gen Intuos devices - Revert "dm bufio: fix deadlock with loop device" - gpiolib: never report open-drain/source lines as 'input' to user-space - userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx - [i386] retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 - [x86] apic: Handle missing global clockevent gracefully - [x86] boot: Save fields explicitly, zero out everything else - [x86] boot: Fix boot regression caused by bootparam sanitizing - dm btree: fix order of block initialization in btree_split_beneath - dm space map metadata: fix missing store of apply_bops() return value - dm table: fix invalid memory accesses with too high sector number - genirq: Properly pair kobject_del() with kobject_add() - mm, page_owner: handle THP splits correctly - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely - [x86] CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h - dmaengine: ste_dma40: fix unneeded variable warning - iommu/dma: Handle SG length overflow better - usb: gadget: composite: Clear "suspended" on reset/disconnect - xen/blkback: fix memory leaks - [x86] tools: hv: fix KVP and VSS daemons exit code - [armhf,arm64] watchdog: bcm2835_wdt: Fix module autoload - scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value - tcp: make sure EPOLLOUT wont be missed - ALSA: line6: Fix memory leak at line6_init_pcm() error path - ALSA: seq: Fix potential concurrent access to the deleted pool - [x86] KVM: Don't update RIP or do single-step on faulting emulation - [x86] apic: Do not initialize LDR and DFR for bigsmp - mm/zsmalloc.c: fix race condition in zs_destroy_pool - usb-storage: Add new JMS567 revision to unusual_devs - USB: cdc-wdm: fix race between write and disconnect due to flag abuse - [armhf,arm64] usb: chipidea: udc: don't do hardware access if gadget has stopped - usb: host: ohci: fix a race condition between shutdown and irq - usb: host: xhci: rcar: Fix typo in compatible string matching - USB: storage: ums-realtek: Update module parameter description for auto_delink_en - USB: storage: ums-realtek: Whitelist auto-delink support - [x86] uprobes: Fix detection of 32-bit user mode - mmc: core: Fix init of SD cards reporting an invalid VDD range - [x86] VMCI: Release resource if the work is already queued - Revert "cfg80211: fix processing world regdomain when non modular" - mac80211: fix possible sta leak - [armhf,arm64] KVM: vgic: Fix potential deadlock when ap_list is long - [armhf,arm64] KVM: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI - [x86] i2c: piix4: Fix port selection for AMD Family 16h Model 30h - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.192 - Bluetooth: btqca: Add a short delay before downloading the NVM - [ppc64el] ibmveth: Convert multicast list size for little-endian system - gpio: Fix build error of function redefinition - cxgb4: fix a memory leak bug - net: myri10ge: fix memory leaks - cx82310_eth: fix a memory leak bug - net: kalmia: fix memory leaks - wimax/i2400m: fix a memory leak bug - IB/mlx4: Fix memory leaks - ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() - ceph: fix buffer free while holding i_ceph_lock in fill_inode() - [armhf,arm64] KVM: Only skip MMIO insn once - libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer - [armhf,arm64] spi: bcm2835aux: ensure interrupts are enabled for shared handler - [armhf,arm64] spi: bcm2835aux: unifying code between polling and interrupt driven code - [armhf,arm64] spi: bcm2835aux: remove dangerous uncontrolled read of fifo - [armhf,arm64] spi: bcm2835aux: fix corruptions for longer spi transfers - net: fix skb use after free in netpoll - [armhf,arm64] net: stmmac: dwmac-rk: Don't fail if phy regulator is absent - tcp: inherit timestamp on mtu probe - mld: fix memory leak in mld_del_delrec() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.193 - ALSA: hda - Fix potential endless loop at applying quirks - ALSA: hda/realtek - Fix overridden device-specific initialization - sched/fair: Don't assign runtime for throttled cfs_rq - [x86] drm/vmwgfx: Fix double free in vmw_recv_msg() - [ppc64el] tm: Fix FP/VMX unavailable exceptions inside a transaction (CVE-2019-15030) - xfrm: clean up xfrm protocol checks - ip6: fix skb leak in ip6frag_expire_frag_queue() - batman-adv: fix uninit-value in batadv_netlink_get_ifindex() - batman-adv: Only read OGM tvlv_len after buffer len check - [armhf] clk: s2mps11: Add used attribute to s2mps11_dt_match https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.194 - bridge/mdb: remove wrong use of NLM_F_MULTI - cdc_ether: fix rndis support for Mediatek based smartphones - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' - isdn/capi: check message length in capi_write() - net: Fix null de-reference of device refcount - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR - tipc: add NULL pointer check before calling kfree_rcu - tun: fix use-after-free when register netdev failed - gpio: fix line flag validation in linehandle_create - gpio: fix line flag validation in lineevent_create - Btrfs: fix assertion failure during fsync and use of stale transaction - genirq: Prevent NULL pointer dereference in resend_irqs() - [s390x] KVM: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl - [x86] KVM: work around leak of uninitialized stack contents - [x86] KVM: nVMX: handle page fault in vmread - [mips*] VDSO: Prevent use of smp_processor_id() - [mips*] VDSO: Use same -m%-float cflag as the kernel proper - [armhf] clk: rockchip: Don't yell about bad mmc phases when getting - driver core: Fix use-after-free and double free on glue directory - nvmem: Use the same permissions for eeprom as for nvmem - USB: usbcore: Fix slab-out-of-bounds bug during device reset - media: tm6000: double free if usb disconnect while streaming - [ppc64el] mm/radix: Use the right page size for vmemmap mapping - [x86] boot: Add missing bootparam that breaks boot on some platforms - xen-netfront: do not assume sk_buff_head list is empty in error handling - tty/serial: atmel: reschedule TX after RX was started - mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings (CVE-2019-14814, CVE-2019-14815, CVE-2019-14816) - [armhf] OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss - [s390x] bpf: fix lcgr instruction encoding - [armhf] OMAP2+: Fix omap4 errata warning on other SoCs - [s390x] bpf: use 32-bit index for tail calls - NFSv4: Fix return values for nfs4_file_open() - NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup - qed: Add cleanup in qed_slowpath_start() - [armel,armhf] 8874/1: mm: only adjust sections of valid mm structures - batman-adv: Only read OGM2 tvlv_len after buffer len check - r8152: Set memory to all 0xFFs on failed reg reads - [x86] apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines - netfilter: nf_conntrack_ftp: Fix debug output - NFSv2: Fix eof handling - NFSv2: Fix write regression - cifs: set domainName when a domain-key is used in multiuser - cifs: Use kzfree() to zero out the password - [armel,armhf] 8901/1: add a criteria for pfn_valid of arm - [x86] sky2: Disable MSI on yet another ASUS boards (P6Xxxx) - [x86] perf/intel: Restrict period on Nehalem - [x86] perf/amd/ibs: Fix sample bias for dispatched micro-ops - [x86] tools/power turbostat: fix buffer overrun - [armhf] dmaengine: ti: dma-crossbar: Fix a memory leak bug - [armhf] dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() - [x86] uaccess: Don't leak the AC flags into __get_user() argument evaluation - keys: Fix missing null pointer check in request_key_auth_describe() - [x86] iommu/amd: Fix race in increase_address_space() - floppy: fix usercopy direction - media: technisat-usb2: break out of loop at end of buffer (CVE-2019-15505) - net_sched: let qdisc_put() accept NULL pointer https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.195 - Revert "Bluetooth: validate BLE connection interval updates" - IB/core: Add an unbound WQ type to the new CQ API - HID: prodikeys: Fix general protection fault during probe - HID: logitech: Fix general protection fault caused by Logitech driver - HID: hidraw: Fix invalid read in hidraw_ioctl - mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() - media: tvp5150: fix switch exit in set control handler - [armhf] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() - [x86] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop - mac80211: Print text for disassociation reason - mac80211: handle deauthentication/disassociation from TDLS peer (CVE-2019-0136) - power: supply: sysfs: ratelimit property read error message - [armhf,arm64] irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices - f2fs: check all the data segments against all node ones - Revert "f2fs: avoid out-of-range memory access" - f2fs: fix to do sanity check on segment bitmap of LFS curseg - drm: Flush output polling on shutdown - xfs: don't crash on null attr fork xfs_bmapi_read - arcnet: provide a buffer big enough to actually receive packets - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize - macsec: drop skb sk before calling gro_cells_receive - net/phy: fix DP83865 10 Mbps HDX loopback disable function - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC - ppp: Fix memory leak in ppp_write - sch_netem: fix a divide by zero in tabledist() - skge: fix checksum byte order - usbnet: ignore endpoints with invalid wMaxPacketSize - usbnet: sanity checking of packet sizes and device mtu - mISDN: enforce CAP_NET_RAW for raw sockets (CVE-2019-17055) - appletalk: enforce CAP_NET_RAW for raw sockets (CVE-2019-17054) - ax25: enforce CAP_NET_RAW for raw sockets (CVE-2019-17052) - ieee802154: enforce CAP_NET_RAW for raw sockets (CVE-2019-17053) - nfc: enforce CAP_NET_RAW for raw sockets (CVE-2019-17056) - [armhf] ASoC: sgtl5000: Fix charge pump source assignment - [armhf,arm64] dmaengine: bcm2835: Print error in case setting DMA mask fails - media: dib0700: fix link error for dibx000_i2c_set_speed - media: hdpvr: Add device num check and handling - sched/fair: Fix imbalance due to CPU affinity - sched/core: Fix CPU controller for !RT_GROUP_SCHED - [x86] reboot: Always use NMI fallback when shutdown via reboot vector IPI fails - [x86] apic: Soft disable APIC before initializing it - ALSA: hda - Show the fatal CORB/RIRB error more clearly - ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() - media: iguanair: add sanity checks - ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid - md: don't call spare_active in md_reap_sync_thread if all member devices can't work - md: don't set In_sync if array is frozen - efi: cper: print AER info of PCIe fatal error - media: gspca: zero usb_buf on error - [armhf] media: omap3isp: Don't set streaming state on random subdevs - media: radio/si470x: kill urb on error - media: hdpvr: add terminating 0 at end of string - media: dvb-core: fix a memory leak bug - PM / devfreq: passive: Use non-devm notifiers - PM / devfreq: exynos-bus: Correct clock enable sequence - media: saa7146: add cleanup in hexium_attach() - media: cpia2_usb: fix memory leaks - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() - ACPI / CPPC: do not require the _PSD method - [arm64] kpti: ensure patched kernel text is fetched from PoU - nvmet: fix data units read and written counters in SMART log - [x86] iommu/amd: Silence warnings under memory pressure - libtraceevent: Change users plugin directory - [armhf] dts: exynos: Mark LDO10 as always-on on Peach Pit/Pi Chromebooks - ACPI: custom_method: fix memory leaks - ACPI / PCI: fix acpi_pci_irq_enable() memory leak - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' - md/raid1: fail run raid1 array when active disk less than one - [armhf] dmaengine: ti: edma: Do not reset reserved paRAM slots - kprobes: Prohibit probing on BUG() and WARN() address - [s390x] crypto: xts-aes-s390 fix extra run-time crypto self tests finding - ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set - libertas: Add missing sentinel at end of if_usb.c fw_table - e1000e: add workaround for possible stalled packet - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (CVE-2019-19533) - [x86] ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 - btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type - [armhf] media: omap3isp: Set device on omap3isp subdevs - PM / devfreq: passive: fix compiler warning - ALSA: firewire-tascam: handle error code when getting current source of clock - ALSA: firewire-tascam: check intermediate state of clock status and retry - IB/hfi1: Define variables as unsigned long to fix KASAN warning - printk: remove games with previous record flags - printk: Do not lose last line in kmsg buffer dump - fuse: fix missing unlock_page in fuse_writepage() - [x86] KVM: always stop emulation on page fault - [x86] KVM: set ctxt->have_exception in x86_decode_insn() - [x86] KVM: Manually calculate reserved bits when loading PDPTRS - [x86] media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table - [x86] ASoC: Intel: NHLT: Fix debug print format - [x86] ASoC: Intel: Fix use of potentially uninitialized variable - alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP - memcg, kmem: do not fail __GFP_NOFAIL charges - ovl: filter of trusted xattr results in audit - Btrfs: fix use-after-free when using the tree modification log - btrfs: Relinquish CPUs in btrfs_compare_trees - md/raid6: Set R5_ReadError when there is read failure on parity disk - cfg80211: Purge frame registrations on iftype change - /dev/mem: Bail out upon SIGKILL. - ext4: fix warning inside ext4_convert_unwritten_extents_endio - ext4: fix punch hole for inline_data file systems - quota: fix wrong condition in is_quota_modification() - hwrng: core - don't wait on add_early_randomness() - CIFS: fix max ea value size - CIFS: Fix oplock handling for SMB 2.1+ protocols - btrfs: qgroup: Drop quota_root and fs_info parameters from update_qgroup_status_item - Btrfs: fix race setting up and completing qgroup rescan workers https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.196 - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() - ipmi_si: Only schedule continuously in the thread in maintenance mode - [ppc64el] rtas: use device model APIs and serialization during LPM - [ppc64el] futex: Fix warning: 'oldval' may be used uninitialized in this function - [ppc64el] pseries/mobility: use cond_resched when updating device tree - [armhf,arm64] pinctrl: tegra: Fix write barrier placement in pmx_writel - vfio_pci: Restore original state on release - drm/amdgpu/si: fix ASIC tests - [ppc64el] exception: machine check use correct cfar for late handler - [ppc64el] pseries: correctly track irq state in default idle - [arm64] fix unreachable code issue with cmpxchg - scsi: core: Reduce memory required for SCSI logging - [mips*] tlbex: Explicitly cast _PAGE_NO_EXEC to a boolean - [x86] mfd: intel-lpss: Remove D3cold delay - [armhf] PCI: tegra: Fix OF node reference leak - [armel,armhf] 8898/1: mm: Don't treat faults reported from cache maintenance as writes - HID: apple: Fix stuck function keys when using FN - [armel,armhf] 8903/1: ensure that usable memory in bank 0 starts from a PMD-aligned address - fat: work around race with userspace's read via blockdev while mounting - [s390x] hypfs: Fix error number left in struct pointer member - ocfs2: wait for recovering done after direct unlock request - ANDROID: binder: remove waitqueue when thread exits. (CVE-2019-2215) - cxgb4:Fix out-of-bounds MSI-X info array access - hso: fix NULL-deref on tty open - ipv6: drop incoming packets having a v4mapped source address - net: ipv4: avoid mixed n_redirects and rate_tokens usage - net: qlogic: Fix memory leak in ql_alloc_large_buffers - net: Unpublish sk from sk_reuseport_cb before call_rcu - nfc: fix memory leak in llcp_sock_bind() - sch_dsmark: fix potential NULL deref in dsmark_init() - net/rds: Fix error handling in rds_ib_add_one() - xen-netfront: do not use ~0U as error return value for xennet_fill_frags() - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash - ipv6: Handle missing host route in __ipv6_ifa_notify - NFC: fix attrs checks in netlink interface https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.197 - [s390x] KVM: Test for bad access register and size at the start of S390_MEM_OP - [s390x] topology: avoid firing events before kobjs are created - [s390x] cio: avoid calling strlen on null pointer - [s390x] cio: exclude subchannels with no parent from pseudo check - [x86] KVM: nVMX: handle page fault in vmread fix - ASoC: Define a set of DAPM pre/post-up events - [ppc64el] powernv: Restrict OPAL symbol map to only be readable by root - [x86] crypto: qat - Silence smp_processor_id() warning - usercopy: Avoid HIGHMEM pfn warning - timer: Read jiffies once when forwarding base clk - [armhf] watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout - ieee802154: atusb: fix use-after-free at disconnect (CVE-2019-19525) - cfg80211: initialize on-stack chandefs - ima: always return negative code for error - fs: nfs: Fix possible null-pointer dereferences in encode_attrs() - 9p: avoid attaching writeback_fid on mmap with type PRIVATE - xen/pci: reserve MCFG areas earlier - ceph: fix directories inode i_blkbits initialization - ceph: reconnect connection if session hang in opening state - drm/amdgpu: Check for valid number of registers to read - thermal: Fix use-after-free when unregistering thermal zone device - fuse: fix memleak in cuse_channel_open - sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr() - kernel/elfcore.c: include proper prototypes - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure - perf tools: Fix segfault in cpu_cache_level__read() - perf stat: Fix a segmentation fault when using repeat forever - perf stat: Reset previous counts on repeat with interval - cfg80211: add and use strongly typed element iteration macros - cfg80211: Use const more consistently in for_each_element macros - nl80211: validate beacon head (CVE-2019-16746) - [armhf] ASoC: sgtl5000: Improve VAG power and mute control - panic: ensure preemption is disabled during panic() - USB: rio500: Remove Rio 500 kernel driver - USB: yurex: Don't retry on unexpected errors - USB: yurex: fix NULL-derefs on disconnect - xhci: Fix false warning message about wrong bounce buffer write length - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long - xhci: Check all endpoints for LPM timeout - usb: xhci: wait for CNR controller not ready bit in xhci resume - xhci: Increase STS_SAVE timeout in xhci_suspend() - USB: adutux: remove redundant variable minor - USB: adutux: fix use-after-free on disconnect (CVE-2019-19523) - USB: adutux: fix NULL-derefs on disconnect - USB: adutux: fix use-after-free on release - USB: iowarrior: fix use-after-free on disconnect (CVE-2019-19528) - USB: iowarrior: fix use-after-free on release - USB: iowarrior: fix use-after-free after driver unbind - USB: usblp: fix runtime PM after driver unbind - USB: chaoskey: fix use-after-free on release - USB: ldusb: fix NULL-derefs on driver unbind - USB: serial: keyspan: fix NULL-derefs on open() and write() - USB: serial: fix runtime PM after driver unbind - USB: usblcd: fix I/O after disconnect - USB: microtek: fix info-leak at probe - USB: dummy-hcd: fix power budget for SuperSpeed mode - USB: legousbtower: fix slab info leak at probe - USB: legousbtower: fix deadlock on disconnect - USB: legousbtower: fix potential NULL-deref on disconnect - USB: legousbtower: fix open after failed reset request - USB: legousbtower: fix use-after-free on release - efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified - perf llvm: Don't access out-of-scope array - perf inject jit: Fix JIT_CODE_MOVE filename - CIFS: Gracefully handle QueryInfo errors during open - CIFS: Force revalidate inode when dentry is stale - CIFS: Force reval dentry if LOOKUP_REVAL flag is set - kernel/sysctl.c: do not override max_threads provided by userspace - [mips*/loongson-3] Disable Loongson MMI instructions for kernel build - vfs: Fix the locking in dcache_readdir() and friends - media: stkwebcam: fix runtime PM after driver unbind - [rt] tracing/hwlat: Report total time spent in all NMIs during the sample - [rt] tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency - tracing: Get trace_array reference for available_tracers files - [x86] asm: Fix MWAITX C-state hint value - xfs: clear sb->s_fs_info on mount failure (CVE-2018-20976) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.198 - scsi: ufs: skip shutdown if hba is not powered - scsi: megaraid: disable device when probe failed after enabled device - scsi: qla2xxx: Fix unbound sleep in fcport delete path. - [armhf] OMAP2+: Fix missing reset done flag for am3 and am43 - nl80211: fix null pointer dereference - mac80211: fix txq null pointer dereference - [mips*/loongson-3] Fix the link time qualifier of 'serial_exit()' - [arm64] net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() - namespace: fix namespace.pl script to support relative paths - ocfs2: fix panic due to ocfs2_wq is null - loop: Add LOOP_SET_DIRECT_IO to compat ioctl - sctp: change sctp_prot .no_autobind with true - net: avoid potential infinite loop in tc_ctl_action() - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid (Closes: #945023) - memfd: Fix locking when tagging pins - USB: legousbtower: fix memleak on disconnect - USB: serial: ti_usb_3410_5052: fix port-close races - USB: ldusb: fix memleak on disconnect - USB: usblp: fix use-after-free on disconnect - USB: ldusb: fix read info leaks - [mips*] tlbex: Fix build_restore_pagemask KScratch restore - [x86] staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS - scsi: core: try to get module before removing device - cfg80211: wext: avoid copying malformed SSIDs (CVE-2019-17133) - mac80211: Reject malformed SSID elements - [x86] drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 - [s390x] scsi: zfcp: fix reaction on bit error threshold notification - mm/slub: fix a deadlock in show_slab_objects() - CIFS: avoid using MID 0xFFFF - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' - cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown - xen/netback: fix error path of xenvif_connect_data() - PCI: PM: Fix pci_power_up() - Revert "net: sit: fix memory leak in sit_init_net()" - RDMA/cxgb4: Do not dma memory off of the stack (CVE-2019-17075) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.199 - dm snapshot: use mutex instead of rw_semaphore - dm snapshot: introduce account_start_copy() and account_end_copy() - dm snapshot: rework COW throttling to fix deadlock - dm: Use kzalloc for all structs with embedded biosets/mempools - [x86] HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override - [x86] HID: i2c-hid: Add Odys Winbook 13 to descriptor override - usb: handle warm-reset port requests on hub resume - [armhf] rtc: pcf8523: set xtal load capacitance from DT - exec: load_script: Do not exec truncated interpreter path - [x86] iio: fix center temperature of bmc150-accel-core - perf map: Fix overlapped map handling - perf jevents: Fix period for Intel fixed counters - staging: rtl8188eu: fix null dereference when kzalloc fails - RDMA/iwcm: Fix a lock inversion issue - [arm64] gpio: max77620: Use correct unit for debounce times - fs: cifs: mute -Wunused-const-variable message - efi/cper: Fix endianness of PCIe class code - [x86] efi: Do not clean dummy variable in kexec path - ocfs2: clear zero in unaligned direct IO - fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock() - fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() - NFSv4: Fix leak of clp->cl_acceptor string - [s390x] uaccess: avoid (false positive) compiler warnings - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() - USB: legousbtower: fix a signedness bug in tower_probe() - [x86] thunderbolt: Use 32-bit writes when writing ring producer/consumer - ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() (CVE-2019-15098) - fuse: flush dirty data/metadata before non-truncate setattr - fuse: truncate pending writes on O_TRUNC - ALSA: bebob: Fix prototype of helper function to return negative value - UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments") - USB: gadget: Reject endpoints with 0 maxpacket value - usb-storage: Revert commit 747668dbc061 ("usb-storage: Set virt_boundary_mask to avoid SG overflows") - USB: ldusb: fix ring-buffer locking - USB: ldusb: fix control-message timeout - USB: serial: whiteheat: fix potential slab corruption - USB: serial: whiteheat: fix line-speed endianness - [x86] HID: i2c-hid: add Trekstor Primebook C11B to descriptor override - HID: Fix assumption that devices have inputs (CVE-2019-19532) - HID: fix error message in hid_open_report() - nl80211: fix validation of mesh path nexthop - [s390x] cmm: fix information leak in cmm_timeout_handler() - rtlwifi: Fix potential overflow on P2P code (CVE-2019-17666) - [armhf] dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle - llc: fix sk_buff leak in llc_sap_state_process() - llc: fix sk_buff leak in llc_conn_service() - bonding: fix potential NULL deref in bond_update_slave_arr - net: usb: sr9800: fix uninitialized local variable - sch_netem: fix rcu splat in netem_enqueue() - sctp: fix the issue that flags are ignored when using kernel_connect - sctp: not bind the socket in sctp_connect - xfs: Correctly invert xfs_buftarg LRU isolation logic - ALSA: timer: Limit max instances per timer - ALSA: timer: Simplify error path in snd_timer_open() - ALSA: timer: Fix mutex deadlock at releasing card https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.200 - [armhf] regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ ti_abb_clear_all_txdone - [armhf] regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe() could be uninitialized - [armhf] ASoc: rockchip: i2s: Fix RPM imbalance - [armhf] dts: logicpd-torpedo-som: Remove twl_keypad - [armel,armhf] mm: fix alignment handler faults under memory pressure - scsi: scsi_dh_alua: handle RTPG sense code correctly during state transitions - perf kmem: Fix memory leak in compact_gfp_flags() - scsi: target: core: Do not overwrite CDB byte 1 - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs - dccp: do not leak jiffies on the wire - net: fix sk_page_frag() recursion from memory reclaim - [arm64] net: hisilicon: Fix ping latency when deal with high throughput - net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() - net: add READ_ONCE() annotation in __skb_wait_for_more_packets() - [armhf] net: dsa: fix switch tree list - vxlan: check tun_info options_len properly - net/mlx4_core: Dynamically set guaranteed amount of counters per VF - inet: stop leaking jiffies on the wire - Kbuild: make designated_init attribute fatal - kbuild: use -fmacro-prefix-map to make __FILE__ a relative path - net/flow_dissector: switch to siphash (CVE-2019-18282) - [arm64] dmaengine: qcom: bam_dma: Fix resource leak - alarmtimer: Change remaining ENOTSUPP to EOPNOTSUPP https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.201 - CDC-NCM: handle incomplete transfer of MTU - ipv4: Fix table id reference in fib_sync_down_addr - net: fix data-race in neigh_event_send() - nfc: netlink: fix double device reference drop - qede: fix NULL pointer deref in __qede_remove() - ALSA: timer: Fix incorrectly assigned timer instance - ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series - ALSA: hda/ca0132 - Fix possible workqueue stall - mm: thp: handle page cache THP correctly in PageTransCompoundMap - mm, vmstat: hide /proc/pagetypeinfo from normal users - dump_stack: avoid the livelock of the dump_lock - perf tools: Fix time sorting - drm/radeon: fix si_enable_smc_cac() failed issue - ceph: fix use-after-free in __ceph_remove_cap() - netfilter: nf_tables: Align nft_expr private data to 64-bit - netfilter: ipset: Fix an error code in ip_set_sockfn_get() - can: usb_8dev: fix use-after-free on disconnect - can: peak_usb: fix a potential out-of-sync while decoding packets - can: gs_usb: gs_can_open(): prevent memory leak (CVE-2019-19052) - can: peak_usb: fix slab info leak (CVE-2019-19534) - configfs: Fix bool initialization/comparison - configfs: stash the data we need into configfs_buffer at open time - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts - configfs: new object reprsenting tree fragments - configfs: provide exclusion between IO and removals - configfs: fix a deadlock in configfs_symlink() - [x86] usbip: stub_rx: fix static checker warning on unnecessary checks - [x86] usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path - [x86] usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c - [x86] drivers: usb: usbip: Add missing break statement to switch - [armhf] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 - [x86] HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() - scsi: qla2xxx: fixup incorrect usage of host_byte - scsi: lpfc: Honor module parameter lpfc_use_adisc - ipvs: move old_secure_tcp into struct netns_ipvs - bonding: fix unexpected IFF_BONDING bit unset - usb: gadget: composite: Fix possible double free memory bug - usb: gadget: configfs: fix concurrent issue between composite APIs - [armhf,arm64] usb: dwc3: remove the call trace of USBx_GFLADJ - [x86] perf/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity - [x86] perf/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) - USB: Skip endpoints with 0 maxpacket length - RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case - scsi: qla2xxx: stop timer in shutdown path - [amd64] fjes: Handle workqueue allocation failure - [arm64] net: hisilicon: Fix "Trying to free already-free IRQ" - NFSv4: Don't allow a cached open with a revoked delegation - igb: Fix constant media auto sense switching when no cable is connected - e1000: fix memory leaks - [x86] apic: Move pending interrupt check code into it's own function - [x86] apic: Drop logical_smp_processor_id() inline - [x86] apic/32: Avoid bogus LDR warnings - mm/filemap.c: don't initiate writeback if mapping has no dirty pages - cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead - net: prevent load/store tearing on sk->sk_stamp https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.202 - [x86] kvm: mmu: Don't read PDPTEs when paging is not enabled - Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() (CVE-2019-15917) - usb: gadget: core: unmap request from DMA only if previously mapped https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.203 - ax88172a: fix information leak on short answers - slip: Fix memory leak in slip_open error path - ALSA: usb-audio: Fix missing error check at mixer resolution test - ALSA: usb-audio: not submit urb for stopped endpoint - Input: ff-memless - kill timer in destroy() (CVE-2019-19524) - IB/hfi1: Ensure full Gen3 speed in a Gen4 system - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either - [x86] iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros - mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() - ath10k: fix kernel panic by moving pci flush after napi_disable - ALSA: pcm: signedness bug in snd_pcm_plug_alloc() - [arm64] dts: tegra210-p2180: Correct sdmmc4 vqmmc-supply - cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set - ALSA: seq: Do error checks at creating system ports - ath9k: fix tx99 with monitor mode interface - gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated - ASoC: dpcm: Properly initialise hw->rate_max - [armhf] dts: exynos: Fix sound in Snow-rev5 Chromebook - [armhf] dts: exynos: Fix regulators configuration on Peach Pi/Pit Chromebooks - i40e: use correct length for strncpy - i40e: hold the rtnl lock on clearing interrupt scheme - i40e: Prevent deleting MAC address from VF when set by PF - IB/rxe: fixes for rdma read retry - iwlwifi: mvm: avoid sending too many BARs - rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument - net: lan78xx: Bail out if lan78xx_get_endpoints fails - [armhf] ASoC: sgtl5000: avoid division by zero if lo_vag is zero - [armhf] dts: exynos: Disable pull control for S5M8767 PMIC - ath10k: wmi: disable softirq's while calling ieee80211_rx - [x86] ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation - of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC - [armhf] dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files - [armhf] dts: omap3-gta04: fixes for tvout / venc - [armhf] dts: omap3-gta04: tvout: enable as display1 alias - [armhf] dts: omap3-gta04: fix touchscreen tsc2007 - [armhf] dts: omap3-gta04: make NAND partitions compatible with recent U-Boot - [armhf] dts: omap3-gta04: keep vpll2 always on - ath9k: add back support for using active monitor interfaces for tx99 - signal: Always ignore SIGKILL and SIGSTOP sent to the global init - signal: Properly deliver SIGILL from uprobes - signal: Properly deliver SIGSEGV from x86 uprobes - f2fs: fix memory leak of percpu counter in fill_super() - scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() - [armhf] imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set - scsi: pm80xx: Corrected dma_unmap_sg() parameter - scsi: pm80xx: Fixed system hang issue during kexec boot - kprobes: Don't call BUG_ON() if there is a kprobe in use on free list - nvmem: core: return error code instead of NULL from nvmem_device_get - media: fix: media: pci: meye: validate offset to avoid arbitrary access - media: dvb: fix compat ioctl translation - ALSA: intel8x0m: Register irq handler after register initializations - llc: avoid blocking in llc_sap_close() - [ppc64el] vdso: Correct call frame information - [armhf] dts: socfpga: Fix I2C bus unit-address error - cxgb4: Fix endianness issue in t4_fwcache() - component: fix loop condition to call unbind() if bind() fails - kernfs: Fix range checks in kernfs_get_target_path - ip_gre: fix parsing gre header in ipgre_err - [armhf] dts: rockchip: Fix erroneous SPI bus dtc warnings on rk3036 - ath9k: Fix a locking bug in ath9k_add_interface() - [s390x] qeth: invoke softirqs after napi_schedule() - PCI/ACPI: Correct error message for ASPM disabling - [ppc64el] iommu: Avoid derefence before pointer check - [ppc64el] 64s/hash: Fix stab_rr off by one initialization - [ppc64el] pseries: Disable CPU hotplug across migrations - RDMA/i40iw: Fix incorrect iterator type - [armhf] power: supply: twl4030_charger: fix charging current out-of-bounds - [armhf] power: supply: twl4030_charger: disable eoc interrupt on linear charge - [armhf,arm64] usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started - [armhf,arm64] usb: chipidea: Fix otg event handler - [armhf] ARM: dts: am335x-evm: fix number of cpsw - f2fs: fix to recover inode's uid/gid during POR - [armel/marvell] dts: marvell: Fix SPI and I2C bus warnings - bnx2x: Ignore bandwidth attention in single function mode - [x86] CPU: Use correct macros for Cyrix calls - [mips*] kexec: Relax memory restriction - media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() - media: au0828: Fix incorrect error messages - usb: gadget: uvc: configfs: Drop leaked references to config items - usb: gadget: uvc: configfs: Prevent format changes after linking header - [armhf] phy: phy-twl4030-usb: fix denied runtime access - usb: gadget: uvc: Factor out video USB request queueing - usb: gadget: uvc: Only halt video streaming endpoint in bulk mode - [ppc64el] misc: genwqe: should return proper error value. - vfio/pci: Fix potential memory leak in vfio_msi_cap_len - vfio/pci: Mask buggy SR-IOV VF INTx support - scsi: libsas: always unregister the old device if going to discover new - [armhf] dts: tegra30: fix xcvr-setup-use-fuses - EDAC: Raise the maximum number of memory controllers - Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS - crypto: fix a memory leak in rsa-kcs1pad's encryption mode - [arm64] dts: amd: Fix SPI bus warnings - [arm64] dts: lg: Fix SPI controller node names - fuse: use READ_ONCE on congestion_threshold and max_background - IB/iser: Fix possible NULL deref at iser_inv_desc() - memfd: Use radix_tree_deref_slot_protected to avoid the warning. - slcan: Fix memory leak in error path - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() - [x86] atomic: Fix smp_mb__{before,after}_atomic() - [x86] kprobes: Prohibit probing on exception masking instructions - [x86] uprobes: Prohibit probing on MOV SS instruction - fbdev: Ditch fb_edid_add_monspecs - block: introduce blk_rq_is_passthrough - libata: have ata_scsi_rw_xlat() fail invalid passthrough requests - [armhf] dts: omap5: enable OTG role for DWC3 controller - f2fs: return correct errno in f2fs_gc - SUNRPC: Fix priority queue fairness - [armhf,arm64] kvm: Fix stage2_flush_memslot for 4 level page table - [arm64] numa: Report correct memblock range for the dummy node - ath10k: fix vdev-start timeout on error - ath9k: fix reporting calculated new FFT upper max - nl80211: Fix a GET_KEY reply attribute - cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update - cxgb4: Use proper enum in IEEE_FAUX_SYNC - [ppc64el] pseries: Fix DTL buffer registration - [ppc64el] pseries: Fix how we iterate over the DTL entries - ixgbe: Fix crash with VFs and flow director on interface flap - IB/mthca: Fix error return code in __mthca_init_one() - IB/mlx4: Avoid implicit enumerated type conversion - ACPICA: Never run _REG on system_memory and system_IO - ALSA: hda/sigmatel - Disable automute for Elo VuPoint - [ppc64el] KVM: Book3S PR: Exiting split hack mode needs to fixup both PC and LR - USB: serial: cypress_m8: fix interrupt-out transfer length - [armel/marvell] mtd: physmap_of: Release resources on error - cpu/SMT: State SMT is disabled even with nosmt and without "=force" - brcmfmac: reduce timeout for action frame scan - brcmfmac: fix full timeout waiting for action frame on-channel tx - [armhf] clk: samsung: Use clk_hw API for calling clk framework from clk notifiers - NFSv4.x: fix lock recovery during delegation recall - [x86] dmaengine: ioat: fix prototype of ioat_enumerate_channels - iwlwifi: mvm: don't send keys when entering D3 - reset: Fix potential use-after-free in __of_reset_control_get() - bcache: recal cached_dev_sectors on detach - [s390x] kasan: avoid vdso instrumentation - [armhf] mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable - GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads - media: cx231xx: fix potential sign-extension overflow on large shift - [x86] kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error - gpio: syscon: Fix possible NULL ptr usage - spi: spidev: Fix OF tree warning logic - [armel,armhf] 8802/1: Call syscall_trace_exit even when system call skipped - [armhf] hwmon: (pwm-fan) Silence error on probe deferral - mac80211: minstrel: fix CCK rate group streams value - [armhf] spi: rockchip: initialize dma_slave_config properly - [armhf] dts: omap5: Fix dual-role mode on Super-Speed port - [arm64] uaccess: Ensure PAN is re-enabled after unhandled uaccess fault https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.204 - net/mlx4_en: fix mlx4 ethtool -N insertion - net: rtnetlink: prevent underflows in do_setvfinfo() - sfc: Only cancel the PPS workqueue if it exists - net/mlx5e: Fix set vf link state error flow - net/sched: act_pedit: fix WARN() in the traffic path - [arm64] gpio: max77620: Fixup debounce delays - mm/ksm.c: don't WARN if page is still mapped in remove_stable_node() - [x86] platform: asus-nb-wmi: Support ALS on the Zenbook UX430UQ - [x86] platform: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi - mwifiex: Fix NL80211_TX_POWER_LIMITED - ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback - printk: fix integer overflow in setup_log_buf() - gfs2: Fix marking bitmaps non-full - synclink_gt(): fix compat_ioctl() - [ppc64el] Fix signedness bug in update_flash_db() - [ppc64el] eeh: Fix use of EEH_PE_KEEP on wrong field - brcmsmac: AP mode: update beacon when TIM changes - ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem - btrfs: handle error of get_old_root - [amd64] misc: mic: fix a DMA pool free failure - scsi: ips: fix missing break in switch - [x86] KVM: Fix invvpid and invept register operand size in 64-bit mode - [x86] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler - [x86] scsi: isci: Change sci_controller_start_task's return type to sci_status - scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param - [armhf] ASoC: tegra_sgtl5000: fix device_node refcounting - scsi: dc395x: fix dma API usage in srb_done - scsi: dc395x: fix DMA API usage in sg_update_list - net: fix warning in af_unix - xfs: fix use-after-free race in xfs_buf_rele - [x86] kprobes, ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack - ALSA: i2c/cs8427: Fix int to char conversion - USB: misc: appledisplay: fix backlight update_status return code - usbip: tools: fix atoi() on non-null terminated string - SUNRPC: Fix a compile warning for cmpxchg64() - sunrpc: safely reallow resvport min/max inversion - atm: zatm: Fix empty body Clang warnings - [s390x] perf: Return error when debug_register fails - [armhf] spi: omap2-mcspi: Set FIFO DMA trigger level to word length - ceph: fix dentry leak in ceph_readdir_prepopulate - [armel/marvell] rtc: s35390a: Change buf's type to u8 in s35390a_init - f2fs: fix to spread clear_cold_data() - mISDN: Fix type of switch control variable in ctrl_teimanager - qlcnic: fix a return in qlcnic_dcb_get_capability() - net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode - [armhf] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values - [ppc64el] process: Fix flush_all_to_thread for SPE - fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock - macsec: update operstate when lower device changes - macsec: let the administrator set UP state even if lowerdev is down - linux/bitmap.h: handle constant zero-size bitmaps correctly - linux/bitmap.h: fix type of nbits in bitmap_shift_right() - hfsplus: fix BUG on bnode parent update - hfs: fix BUG on bnode parent update - hfsplus: prevent btree data loss on ENOSPC - hfs: prevent btree data loss on ENOSPC - hfsplus: fix return value of hfsplus_get_block() - hfs: fix return value of hfs_get_block() - hfsplus: update timestamps on truncate() - hfs: update timestamp on truncate() - fs/hfs/extent.c: fix array out of bounds read of array extent - mm/memory_hotplug: make add_memory() take the device_hotplug_lock - igb: shorten maximum PHC timecounter update interval - [arm64] makefile fix build of .i file in external module case - ocfs2: don't put and assigning null to bh allocated outside - ocfs2: fix clusters leak in ocfs2_defrag_extent() - net: do not abort bulk send on BQL status - sched/fair: Don't increase sd->balance_interval on newidle balance - audit: print empty EXECVE args - [armhf,arm64] wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' - rtl8xxxu: Fix missing break in switch - brcmsmac: never log "tid x is not agg'able" by default - wireless: airo: potential buffer overflow in sprintf() - rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information - scsi: mpt3sas: Fix Sync cache command failure during driver unload - scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 - scsi: megaraid_sas: Fix msleep granularity - scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces - dlm: fix invalid free - dlm: don't leak kernel pointer to userspace - ACPICA: Use %d for signed int print formatting instead of %u - [arm64] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues - [armhf] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch - mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock - Bluetooth: Fix invalid-free in bcsp_close() - KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved - ath9k_hw: fix uninitialized variable data - dm: use blk_set_queue_dying() in __dm_destroy() - [arm64] fix for bad_mode() handler to always result in panic - cpufreq: Skip cpufreq resume if it's not suspended - ocfs2: remove ocfs2_is_o2cb_active() - [armel,armhf] 8904/1: skip nomap memblocks while finding the lowmem/ highmem boundary - [x86] insn: Fix awk regexp warnings - [x86] speculation: Fix incorrect MDS/TAA mitigation status - [x86] speculation: Fix redundant MDS mitigation message - nfc: port100: handle command failure cleanly - l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 - media: vivid: Set vid_cap_streaming and vid_out_streaming to true - media: vivid: Fix wrong locking that causes race conditions on streaming stop (CVE-2019-18683) - media: usbvision: Fix races among open, close, and disconnect - cpufreq: Add NULL checks to show() and store() methods of cpufreq - media: uvcvideo: Fix error path in control parsing failure - media: b2c2-flexcop-usb: add sanity checking (CVE-2019-15291) - media: cxusb: detect cxusb_ctrl_msg error in query - media: imon: invalid dereference in imon_touch_event - virtio_console: reset on out of memory - virtio_console: don't tie bufs to a vq - virtio_console: allocate inbufs in add_port() only if it is needed - virtio_ring: fix return code on DMA mapping fails - virtio_console: fix uninitialized variable use - virtio_console: drop custom control queue cleanup - virtio_console: move removal code - usbip: tools: fix fd leakage in the function of read_attr_usbip_status - usb-serial: cp201x: support Mark-10 digital force gauge - USB: chaoskey: fix error case of a timeout - appledisplay: fix error handling in the scheduled work - USB: serial: mos7720: fix remote wakeup - USB: serial: mos7840: fix remote wakeup - staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error - [ppc64el] 64s: support nospectre_v2 cmdline option - [ppc64el] book3s64: Fix link stack flush on context switch (CVE-2019-18660) - [ppc64el] KVM: Book3S HV: Flush link stack on guest exit to host kernel (CVE-2019-18660) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.205 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.206 - ASoC: compress: fix unsigned integer overflow check - [armel/marvell] ASoC: kirkwood: fix external clock probe defer - [armhf] clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume - reset: fix reset_control_ops kerneldoc comment - can: peak_usb: report bus recovery as well - [arm64] watchdog: meson: Fix the wrong value of left time - mac80211: fix station inactive_time shortly after boot - block: drbd: remove a stray unlock in __drbd_send_protocol() - scsi: lpfc: Fix dif and first burst use in write commands - [armhf] dts: imx53-voipac-dmm-668: Fix memory node duplication - [arm64] mm: Prevent mismatched 52-bit VA support - [arm64] smp: Handle errors reported by the firmware - [armhf] PM / AVS: SmartReflex: NULL check before some freeing functions is not needed - [x86] ACPI / LPSS: Ignore acpi_device_fix_up_power() return value - crypto: user - support incremental algorithm dumps - mwifiex: fix potential NULL dereference and use after free - mwifiex: debugfs: correct histogram spacing, formatting - rtl818x: fix potential use after free - xfs: require both realtime inodes to mount - ubi: Put MTD device after it is not used - ubi: Do not drop UBI device reference before using - gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB - VSOCK: bind to random port for VMADDR_PORT_ANY - [armhf] mtd: rawnand: sunxi: Write pageprog related opcodes to WCMD_SET - btrfs: only track ref_heads in delayed_ref_updates - [x86] HID: intel-ish-hid: fixes incorrect error handling - xen/pciback: Check dev_data before using it - pinctrl: xway: fix gpio-hog related boot issues - net/mlx5: Continue driver initialization despite debugfs failure - [s390x] KVM: unregister debug feature on failing arch init - dm flakey: Properly corrupt multi-page bios. - gfs2: take jdata unstuff into account in do_grow - xfs: Align compat attrlist_by_handle with native implementation. - xfs: Fix bulkstat compat ioctls on x32 userspace. - IB/qib: Fix an error code in qib_sdma_verbs_send() - [ppc64el] xmon: fix dump_segments() - [armhf] drivers/regulator: fix a missing check of return value - RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer - scsi: qla2xxx: deadlock by configfs_depend_item - scsi: csiostor: fix incorrect dma device in case of vport - ath6kl: Only use match sets when firmware supports it - ath6kl: Fix off by one error in scan completion - [ppc64el] prom: fix early DEBUG messages - [ppc64el] mm: Make NULL pointer deferences explicit on bad page faults. - vfio/spapr_tce: Get rid of possible infinite loop - [ppc64el] powernv/eeh/npu: Fix uninitialized variables in opal_pci_eeh_freeze_status - drbd: ignore "all zero" peer volume sizes in handshake - drbd: reject attach of unsuitable uuids even if connected - drbd: do not block when adjusting "disk-options" while IO is frozen - drbd: fix print_st_err()'s prototype to match the definition - [armhf] regulator: tps65910: fix a missing check of return value - [ppc64el] pseries: Fix node leak in update_lmb_associativity_index() - net/net_namespace: Check the return value of register_pernet_subsys() - [armhf,arm64] net: stmicro: fix a missing check of clk_prepare - [armhf] net: dsa: bcm_sf2: Propagate error value from mdio_write - atl1e: checking the status of atl1e_write_phy_reg - tipc: fix a missing check of genlmsg_put - ocfs2: clear journal dirty flag after shutdown journal - vmscan: return NODE_RECLAIM_NOSCAN in node_reclaim() when CONFIG_NUMA is n - lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk - lib/genalloc.c: use vzalloc_node() to allocate the bitmap - mtd: Check add_mtd_device() ret code - tipc: fix memory leak in tipc_nl_compat_publ_dump - net/core/neighbour: tell kmemleak about hash tables - net/core/neighbour: fix kmemleak minimal reference count for hash tables - sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe - ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel - decnet: fix DN_IFREQ_SIZE - tipc: fix skb may be leaky in tipc_link_input - sfc: initialise found bitmap in efx_ef10_mtd_probe - net: fix possible overflow in __sk_mem_raise_allocated() - sctp: don't compare hb_timer expire date before starting it - net: dev: Use unsigned integer as an argument to left-shift - [x86] iommu/amd: Fix NULL dereference bug in match_hid_uid - scsi: libsas: Support SATA PHY connection rate unmatch fixing during discovery - ACPI / APEI: Switch estatus pool to use vmalloc memory - scsi: libsas: Check SMP PHY control function result - [ppc64el] pseries/dlpar: Fix a missing check in dlpar_parse_cc_property() - mtd: Remove a debug trace in mtdpart.c - mm, gup: add missing refcount overflow checks on x86 and s390 - [amd64] mei: bus: prefix device names on bus with the bus name - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE - [arm64] net: macb: fix error format in dev_err() - pwm: Clear chip_data in pwm_put() - macvlan: schedule bc_work even if error - openvswitch: fix flow command message size - slip: Fix use-after-free Read in slip_open - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() - openvswitch: remove another BUG_ON() - tipc: fix link name length check - sctp: cache netns in sctp_ep_common - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues - HID: core: check whether Usage Page item is after Usage ID items - [x86] platform: hp-wmi: Fix ACPI errors caused by too small buffer https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.207 - [arm64] tegra: Fix 'active-low' warning for Jetson TX1 regulator - usb: gadget: u_serial: add missing port entry locking - [arm64] tty: serial: msm_serial: Fix flow control - [armhf,arm64] serial: pl011: Fix DMA ->flush_buffer() - serial: serial_core: Perform NULL checks for break_ctl ops - autofs: fix a leak in autofs_expire_indirect() - exportfs_decode_fh(): negative pinned may become positive without the parent locked - audit_get_nd(): don't unlock parent too early - ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() - rsxx: add missed destroy_workqueue calls in remove - serial: core: Allow processing sysrq at port unlock time - cxgb4vf: fix memleak in mac_hlist initialization - iwlwifi: mvm: Send non offchannel traffic via AP sta - [armhf] 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+ - net/mlx5: Release resource on error flow - [armhf] clk: rockchip: fix rk3188 sclk_smc gate data - [armhf] clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering - [armhf] dts: rockchip: Fix rk3288-rock2 vcc_flash name - dlm: fix missing idr_destroy for recover_idr - [s390x] scsi: zfcp: drop default switch case which might paper over missing case - [arm64] pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues - regulator: Fix return value of _set_load() stub - [mips*/octeon] octeon-platform: fix typing - math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning - [armhf] dts: exynos: Use Samsung SoC specific compatible for DWC2 module - [armhf,arm64] usb: dwc3: don't log probe deferrals; but do log other error codes - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() - dma-mapping: fix return type of dma_set_max_seg_size() - [armhf] serial: imx: fix error handling in console_setup - [armhf] i2c: imx: don't print error message on probe defer - dlm: NULL check before kmem_cache_destroy is not needed - nfsd: fix a warning in __cld_pipe_upcall() - net/x25: fix called/calling length calculation in x25_parse_address_block - net/x25: fix null_x25_address handling - tcp: fix off-by-one bug on aborting window-probing socket - tcp: fix SNMP TCP timeout under-estimation - modpost: skip ELF local symbols during section mismatch check - kbuild: fix single target build for external module - mtd: fix mtd_oobavail() incoherent returned value - [armhf] clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent - dlm: fix invalid cluster name warning - net/mlx4_core: Fix return codes of unsupported operations - [ppc64el] math-emu: Update macros from GCC - [mips*/octeon] cvmx_pko_mem_debug8: use oldest forward compatible definition - nfsd: Return EPERM, not EACCES, in some SETATTR cases - tty: Don't block on IO when ldisc change is pending - media: stkwebcam: Bugfix for wrong return values - mlx4: Use snprintf instead of complicated strcpy - [armhf] dts: sunxi: Fix PMU compatible strings - sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision - fuse: verify nlink - fuse: verify attributes - ALSA: pcm: oss: Avoid potential buffer overflows - [x86] Input: goodix - add upside-down quirk for Teclast X89 tablet - [x86] PCI: Avoid AMD FCH XHCI USB PME# from D0 defect - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks - CIFS: Fix SMB2 oplock break processing - tty: vt: keyboard: reject invalid keycodes - can: slcan: Fix use-after-free Read in slcan_open - jbd2: Fix possible overflow in jbd2_log_space_left() - [i386] drm/i810: Prevent underflow in ioctl - [x86] KVM: do not modify masked bits of shared MSRs - [x86] KVM: fix presentation of TSX feature in ARCH_CAPABILITIES - [x86] crypto: ccp - fix uninitialized list head - crypto: ecdh - fix big endian bug in ECC library - crypto: user - fix memory leak in crypto_report (CVE-2019-19062) - RDMA/qib: Validate ->show()/store() callbacks before calling them - thermal: Fix deadlock in thermal thermal_zone_device_check - [x86] KVM: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) - appletalk: Fix potential NULL pointer dereference in unregister_snap_client (CVE-2019-19227) - appletalk: Set error code if register_snap_client failed - usb: gadget: configfs: Fix missing spin_lock_init() - USB: uas: honor flag to avoid CAPACITY16 - USB: uas: heed CAPACITY_HEURISTICS - usb: Allow USB device to be warm reset in suspended state - staging: rtl8188eu: fix interface sanity check - staging: rtl8712: fix interface sanity check - staging: gigaset: fix general protection fault on probe - staging: gigaset: fix illegal free on probe errors - staging: gigaset: add endpoint-type sanity check - xhci: Increase STS_HALT timeout in xhci_suspend() - [armhf] dts: pandora-common: define wl1251 as child node of mmc3 - USB: atm: ueagle-atm: add missing endpoint check - USB: idmouse: fix interface sanity checks - USB: serial: io_edgeport: fix epic endpoint lookup - USB: adutux: fix interface sanity check - usb: core: urb: fix URB structure initialization function - usb: mon: Fix a deadlock in usbmon between mmap and read - virtio-balloon: fix managed page counts when migrating pages between zones - btrfs: check page->mapping when loading free space cache - btrfs: Remove btrfs_bio::flags member - Btrfs: send, skip backreference walking for extents with many references - btrfs: record all roots for rename exchange on a subvol - rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer - rtlwifi: rtl8192de: Fix missing enable interrupt flag - lib: raid6: fix awk build warnings - ALSA: hda - Fix pending unsol events at shutdown - workqueue: Fix spurious sanity check failures in destroy_workqueue() - workqueue: Fix pwq ref leak in rescuer_thread() - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report - blk-mq: avoid sysfs buffer overflow with too many CPU cores - cgroup: pids: use atomic64_t for pids->limit - ar5523: check NULL before memcpy() in ar5523_cmd() - cpuidle: Do not unset the driver if it is there already - PM / devfreq: Lock devfreq in trans_stat_show - ACPI: OSL: only free map once in osl.c - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() - ACPI: PM: Avoid attaching ACPI PM domain to certain devices - [armhf] pinctrl: samsung: Fix device node refcount leaks in init code - [armhf] mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card - ppdev: fix PPGETTIME/PPSETTIME ioctls - [ppc64el] Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB - video/hdmi: Fix AVI bar unpack - quota: Check that quota is not dirty before release - quota: fix livelock in dquot_writeback_dquots - [s390x] scsi: zfcp: trace channel log even for FCP command responses - usb: xhci: only set D3hot for pci device - xhci: Fix memory leak in xhci_add_in_port() - xhci: make sure interrupts are restored to correct state - Btrfs: fix negative subv_writers counter and data space leak after buffered write - [armhf] omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251 - scsi: lpfc: Cap NPIV vports to 256 - [x86] MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models - [x86] MCE/AMD: Carve out the MC4_MISC thresholding quirk - ath10k: fix fw crash by moving chip reset after napi disabled - [armhf] dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity - scsi: qla2xxx: Fix DMA unmap leak - scsi: qla2xxx: Fix session lookup in qlt_abort_work() - scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() - scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value - [ppc64el] Fix vDSO clock_getres() - reiserfs: fix extended attributes on the root directory - [arm64] firmware: qcom: scm: Ensure 'a0' status code is treated as signed - mm/shmem.c: cast the type of unmap_start to u64 - ext4: fix a bug in ext4_wait_for_tail_page_commit - blk-mq: make sure that line break can be printed - workqueue: Fix missing kfree(rescuer) in destroy_workqueue() - sunrpc: fix crash when cache_head become valid before update - net/mlx5e: Fix SFF 8472 eeprom length - kernel/module.c: wakeup processes in module_wq on module unload - nvme: host: core: fix precedence of ternary operator - net: bridge: deny dev_set_mac_address() when unregistering - net: ethernet: ti: cpsw: fix extra rx interrupt - openvswitch: support asymmetric conntrack - tcp: md5: fix potential overestimation of TCP option space - tipc: fix ordering of tipc module init and exit routine - inet: protect against too small mtu values. - tcp: fix rejected syncookies due to stale timestamps - tcp: tighten acceptance of ACKs not matching a child socket - tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() - [x86] PCI: Fix Intel ACS quirk UPDCR register address - PCI/MSI: Fix incorrect MSI-X masking on resume - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect - [armhf] tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() - vfio/pci: call irq_bypass_unregister_producer() before freeing irq - dma-buf: Fix memory leak in sync_file_merge() - dm btree: increase rebalance threshold in __rebalance2() - scsi: iscsi: Fix a potential deadlock in the timeout handler - drm/radeon: fix r1xx/r2xx register checker for POT textures - xhci: fix USB3 device initiated resume race with roothub autosuspend - [armhf,arm64] net: stmmac: use correct DMA buffer size in the RX descriptor - [armhf,arm64] net: stmmac: don't stop NAPI processing when dropping a packet https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.208 - btrfs: skip log replay on orphaned roots - btrfs: do not leak reloc root if we fail to read the fs root - btrfs: handle ENOENT in btrfs_uuid_tree_iterate - ALSA: pcm: Avoid possible info leaks from PCM stream buffers - ALSA: hda/ca0132 - Keep power on during processing DSP response - ALSA: hda/ca0132 - Avoid endless loop - drm: mst: Fix query_payload ack reply struct - spi: Add call to spi_slave_abort() function when spidev driver is released - staging: rtl8192u: fix multiple memory leaks on error path - staging: rtl8188eu: fix possible null dereference - rtlwifi: prevent memory leak in rtl_usb_probe - libertas: fix a potential NULL pointer dereference - IB/iser: bound protection_sg size by data_sg size - tools/power/cpupower: Fix initializer override in hsw_ext_cstates - [armhf] hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled - media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init() - media: cec-funcs.h: add status_req checks - mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring (CVE-2019-19057) - [armhf] media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel format - [armhf] media: ti-vpe: vpe: fix a v4l2-compliance failure about frame sequence number - [armhf] media: ti-vpe: vpe: Make sure YUYV is set as default format - [x86] mm: Use the correct function type for native_set_fixmap() - perf test: Report failure for mmap events - usb: usbfs: Suppress problematic bind and unbind uevents. - Bluetooth: hci_core: fix init for HCI_USER_CHANNEL - [x86] mce: Lower throttling MCE messages' priority to warning - [x86] drm/gma500: fix memory disclosures due to uninitialized bytes - rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot - [x86] ioapic: Prevent inconsistent state when moving an interrupt - [arm64] psci: Reduce the waiting time for cpu_psci_cpu_kill() - libata: Ensure ata_port probe has completed before detach - Bluetooth: Fix advertising duplicated flags - bnx2x: Fix PF-VF communication over multi-cos queues. - ALSA: timer: Limit max amount of slave instances - rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt() - perf probe: Fix to find range-only function instance - perf probe: Fix to list probe event with correct line number - perf probe: Walk function lines in lexical blocks - perf probe: Fix to probe an inline function which has no entry pc - perf probe: Fix to show ranges of variables in functions without entry_pc - perf probe: Fix to show inlined function callsite without entry_pc - perf probe: Fix to probe a function which has no entry pc - perf probe: Skip overlapped location on searching variables - perf probe: Return a better scope DIE if there is no best scope - perf probe: Fix to show calling lines of inlined functions - perf probe: Skip end-of-sequence and non statement lines - perf probe: Filter out instances except for inlined subroutine and subprogram - ath10k: fix get invalid tx rate for Mesh metric - media: pvrusb2: Fix oops on tear-down when radio support is not present - media: si470x-i2c: add missed operations in remove - ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile - [s390x] disassembler: don't hide instruction addresses - parport: load lowlevel driver if ports not found - cpufreq: Register drivers only after CPU devices have been registered - [x86] crash: Add a forward declaration of struct kimage - iwlwifi: mvm: fix unaligned read of rx_pkt_status - [arm64] spi: tegra20-slink: add missed clk_unprepare - mmc: tmio: Add MMC_CAP_ERASE to allow erase/discard/trim requests - btrfs: don't prematurely free work in end_workqueue_fn() - btrfs: don't prematurely free work in run_ordered_work() - [x86] insn: Add some Intel instructions to the opcode map - iwlwifi: check kasprintf() return value - fbtft: Make sure string is NULL terminated - [armhf] crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c - [ppc64el] crypto: vmx - Avoid weird build failures - libtraceevent: Fix memory leakage in copy_filter_type - net: phy: initialise phydev speed and duplex sanely - btrfs: don't prematurely free work in reada_start_machine_worker() - usb: xhci: Fix build warning seen with CONFIG_PM=n - btrfs: don't double lock the subvol_sem for rename exchange - btrfs: do not call synchronize_srcu() in inode_tree_del - btrfs: return error pointer from alloc_test_extent_buffer - btrfs: abort transaction after failed inode updates in create_subvol - Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues - af_packet: set defaule value for tmo - [amd64] fjes: fix missed check in fjes_acpi_add - mod_devicetable: fix PHY module format - [arm64] net: hisilicon: Fix a BUG trigered by wrong bytes_compl - net: qlogic: Fix error paths in ql_alloc_large_buffers() - net: usb: lan78xx: Fix suspend/resume PHY register access error - sctp: fully initialize v4 addr in some functions - net: dst: Force 4-byte alignment of dst_metrics - [x86] usbip: Fix error path of vhci_recv_ret_submit() - USB: EHCI: Do not return -EPIPE when hub is disconnected - [x86] platform: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes - [x86] staging: comedi: gsc_hpdi: check dma_alloc_coherent() return value - ext4: fix ext4_empty_dir() for directories with holes (CVE-2019-19037) - ext4: check for directory entries too close to block end - [ppc64el] irq: fix stack overflow verification - perf probe: Fix to show function entry line as probe-able - scsi: mpt3sas: Fix clear pending bit in ioctl status - scsi: lpfc: Fix locking on mailbox command completion - Input: atmel_mxt_ts - disable IRQ across suspend - [armhf,arm64] iommu/tegra-smmu: Fix page tables in > 4 GiB memory - scsi: target: compare full CHAP_A Algorithm strings - scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices - scsi: csiostor: Don't enable IRQs too early - [ppc64el] pseries: Mark accumulate_stolen_time() as notrace - [ppc64el] pseries: Don't fail hash page table insert for bolted mapping - [ppc64el] security/book3s64: Report L1TF status in sysfs - [ppc64el] book3s64/hash: Add cond_resched to avoid soft lockup warning - jbd2: Fix statistics for the number of logged blocks - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) - scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow - [arm64] clk: qcom: Allow constant ratio freq tables for rcg - fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences - scsi: ufs: fix potential bug which ends in system hang - [ppc64el] pseries/cmm: Implement release() function for sysfs device - [ppc64el] security: Fix wrong message when RFI Flush is disable - bcache: at least try to shrink 1 node in bch_mca_scan() - HID: Improve Windows Precision Touchpad detection. - ext4: work around deleting a file with i_nlink == 0 safely (CVE-2019-19447) - scsi: pm80xx: Fix for SATA device discovery - scsi: scsi_debug: num_tgts must be >= 0 - scsi: target: iscsi: Wait for all commands to finish before freeing a session - cdrom: respect device capabilities during opening action - perf regs: Make perf_reg_name() return "unknown" instead of NULL - [s390x] cpum_sf: Check for SDBT and SDB consistency - ocfs2: fix passing zero to 'PTR_ERR' warning - kernel: sysctl: make drop_caches write-only - [x86] mce: Fix possibly incorrect severity calculation on AMD - net, sysctl: Fix compiler warning when only cBPF is present - ALSA: hda - Downgrade error message for single-cmd fallback - perf strbuf: Remove redundant va_end() in strbuf_addv() - vfs: Make filldir[64]() verify the directory entry filename is valid (CVE-2019-10220) - vfs: filldir[64]: remove WARN_ON_ONCE() for bad directory entries - netfilter: ebtables: compat: reject all padding in matches/watchers - 6pack,mkiss: fix possible deadlock - netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() - net: icmp: fix data-race in cmp_global_allow() - hrtimer: Annotate lockless access to timer->state - [x86] pinctrl: baytrail: Really serialize all register accesses - mmc: sdhci: Update the tuning failed messages to pr_debug level - [amd64] net: ena: fix napi handler misbehavior when the napi budget is zero - vhost/vsock: accept only packets with the right dst_cid - tcp/dccp: fix possible race __inet_lookup_established() - tcp: do not send empty skb from tcp_write_xmit() - gtp: fix wrong condition in gtp_genl_dump_pdp() - gtp: avoid zero size hashtable https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.209 - PM / devfreq: Don't fail devfreq_dev_release if not in list - RDMA/cma: add missed unregister_pernet_subsys in init failure - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func - scsi: qla2xxx: Don't call qlt_async_event twice - scsi: iscsi: qla4xxx: fix double free in probe - scsi: libsas: stop discovering if oob mode is disconnected (CVE-2019-19965) - usb: gadget: fix wrong endpoint desc - md: raid1: check rdev before reference in raid1_sync_request func - [s390x] cpum_sf: Adjust sampling interval to avoid hitting sample limits - [s390x] cpum_sf: Avoid SBD overflow condition in irq handler - IB/mlx4: Follow mirror sequence of device add during device removal - xen-blkback: prevent premature module unload - xen/balloon: fix ballooned page accounting without hotplug enabled - PM / hibernate: memory_bm_find_bit(): Tighten node optimisation - xfs: fix mount failure crash on invalid iclog memory access - taskstats: fix data-race - drm: limit to INT_MAX in create_blob ioctl - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code - [mips*] Avoid VDSO ABI breakage due to global register variable - mm/zsmalloc.c: fix the migrated zspage statistics. - memcg: account security cred as well to kmemcg - locks: print unsigned ino in /proc/locks - dmaengine: Fix access to uninitialized dma_slave_caps - compat_ioctl: block: handle Persistent Reservations - gpiolib: fix up emulated open drain outputs - tracing: Have the histogram compare functions convert to u64 first - ALSA: cs4236: fix error return comparison of an unsigned integer - ftrace: Avoid potential division by zero in function profiler - [arm64] Revert support for execute-only user mappings - PM / devfreq: Check NULL governor in available_governors_show - nfsd4: fix up replay_matches_cache() - xfs: don't check for AG deadlock for realtime files in bunmapi - Bluetooth: btusb: fix PM leak in error case of setup - Bluetooth: delete a stray unlock - Bluetooth: Fix memory leak in hci_connect_le_scan - media: flexcop-usb: ensure -EIO is returned on error condition - media: usb: fix memory leak in af9005_identify_state (CVE-2019-18809) - [arm64] tty: serial: msm_serial: Fix lockup for sysrq and oops - fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP - drm/mst: Fix MST sideband up-reply failure handling - [ppc64el] pseries/hvconsole: Fix stack overread via udbg - rxrpc: Fix possible NULL pointer access in ICMP handling - ath9k_htc: Modify byte order for an error message - ath9k_htc: Discard undersized packets - net: add annotations on hh->hh_len lockless accesses - [s390x] smp: fix physical to logical CPU map for SMT - xen/blkback: Avoid unmapping unmapped grant pages - [x86] locking: Remove the unused atomic_inc_short() methd - pstore/ram: Write new dumps to start of recycled zones - locking/spinlock/debug: Fix various data races - netfilter: ctnetlink: netns exit must wait for callbacks - efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs - efi/gop: Return EFI_SUCCESS if a usable GOP was found - efi/gop: Fix memory leak in __gop_query32/64() - [armhf] vexpress: Set-up shared OPP table instead of individual for each CPU - netfilter: uapi: Avoid undefined left-shift in xt_sctp.h - [arm64] spi: spi-cavium-thunderx: Add missing pci_release_regions() - [ppc64el] Ensure that swiotlb buffer is allocated from low memory - bnx2x: Do not handle requests from VFs after parity - bnx2x: Fix logic to get total no. of PFs per engine - net: usb: lan78xx: Fix error message format specifier - rfkill: Fix incorrect check to avoid NULL pointer dereference - [x86] perf/intel: Fix PT PMI handling - [armhf,arm64] net: stmmac: RX buffer size must be 16 byte aligned - block: fix memleak when __blk_rq_map_user_iov() is failed - llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) - macvlan: do not assume mac_header is set in macvlan_broadcast() - [armhf] net: stmmac: dwmac-sunxi: Allow all RGMII modes - net: usb: lan78xx: fix possible skb leak - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK - vxlan: fix tos value before xmit - vlan: vlan_changelink() should propagate errors - net: sch_prio: When ungrafting, replace with FIFO - vlan: fix memory leak in vlan_dev_set_egress_priority - USB: core: fix check for duplicate endpoints https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.210 - chardev: Avoid potential use-after-free in 'chrdev_open()' - [armhf,arm64] usb: chipidea: host: Disable port power only if previously enabled - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 - tcp: minimize false-positives on TCP/GRO check - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail - HID: Fix slab-out-of-bounds read in hid_field_extract - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll - HID: hid-input: clear unmapped usages - Input: add safety guards to input_set_keycode() - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs - [x86] staging: vt6656: set usb_set_intfdata on driver fail. - USB: serial: option: add ZLP support for 0x1bc7/0x9010 - [armhf] usb: musb: fix idling for suspend after disconnect interrupt - [armhf] usb: musb: Disable pullup at init - [armhf] usb: musb: dma: Correct parameter passed to IRQ handler - [x86] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 - tty: link tty and port before configuring it as console - tty: always relink the port - mwifiex: fix possible heap overflow in mwifiex_process_country_ie() (CVE-2019-14895) - mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf (CVE-2019-19056) - scsi: bfa: release allocated memory in case of error (CVE-2019-19066) - rtl8xxxu: prevent leaking urb (CVE-2019-19068) - USB: Fix: Don't skip endpoint descriptors with maxpacket=0 - netfilter: arp_tables: init netns pointer in xt_tgchk_param struct - netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present - [x86] drm/i915/gen9: Clear residual context state on context switch (CVE-2019-14615) . [ Ben Hutchings ] * debian/control: Fix version in dependencies on arch-independent linux-headers-*-common* (Closes: #869511) * linux-headers: Change linux-kbuild dependency to be versioned (ensuring it has retpoline support on x86) * [rt] Update to 4.9.201-rt134: - Update "fs/dcache: disable preemption on i_dir_seq's write side" to apply after "Fix the locking in dcache_readdir() and friends" * Bump ABI to 12 * xfs: catch inode allocation state mismatch corruption * xfs: validate cached inodes are free when allocated (CVE-2018-13093) * xfs: don't call xfs_da_shrink_inode with NULL bp (CVE-2018-13094) * rsi: add fix for crash during assertions (CVE-2018-21008) * libertas: Fix two buffer overflows at parsing bss descriptor (CVE-2019-14896, CVE-2019-14897) * mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() (CVE-2019-14901) * media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap (CVE-2019-15217) * wimax: i2400: fix memory leak (CVE-2019-19051) * wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle (CVE-2019-19051) * ext4: fix use-after-free race with debug_want_extra_isize * ext4: add more paranoia checking in ext4_expand_extra_isize handling (CVE-2019-19767) * can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices (CVE-2019-19947) * dccp: Fix memleak in __feat_register_sp (CVE-2019-20096) linux (4.9.189-3+deb9u2) stretch-security; urgency=high . * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs TSX is now disabled by default; see Documentation/hw-vuln/tsx_async_abort.rst * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change (aka iTLB multi-hit, CVE-2018-12207): - KVM: x86: simplify ept_misconfig - KVM: x86: extend usage of RET_MMIO_PF_* constants - KVM: MMU: drop vcpu param in gpte_access - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: Add is_executable_pte() - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - cpu/speculation: Uninline and export CPU mitigations helpers - kvm: mmu: ITLB_MULTIHIT mitigation - kvm: Add helper function for creating VM worker threads - kvm: x86: mmu: Recovery of shattered NX large pages - Documentation: Add ITLB_MULTIHIT documentation * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155): - drm/i915: kick out cmd_parser specific structs from i915_drv.h - drm/i915: cleanup use of INSTR_CLIENT_MASK - drm/i915: return EACCES for check_cmd() failures - drm/i915: don't whitelist oacontrol in cmd parser - drm/i915: Use the precomputed value for whether to enable command parsing - drm/i915/cmdparser: Limit clflush to active cachelines - drm/i915/gtt: Add read only pages to gen8_pte_encode - drm/i915/gtt: Read-only pages for insert_entries on bdw+ - drm/i915/gtt: Disable read-only support under GVT - drm/i915: Prevent writing into a read-only object via a GGTT mmap - drm/i915/cmdparser: Check reg_table_count before derefencing. - drm/i915/cmdparser: Do not check past the cmd length. - drm/i915: Silence smatch for cmdparser - drm/i915: Move engine->needs_cmd_parser to engine->flags - drm/i915: Rename gen7 cmdparser tables - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Remove Master tables from cmdparser - drm/i915: Add support for mandatory cmdparsing - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - drm/i915: Allow parsing of unsized batches - drm/i915: Add gen9 BCS cmdparsing - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA * drm/i915: Avoid ABI change for CVE-2019-0155 linux (4.9.189-3+deb9u1) stretch-security; urgency=high . * vhost: make sure log_num < in_num (CVE-2019-14835) * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) linux-latest (80+deb9u10) stretch; urgency=medium . * Update to 4.9.0-12 llvm-toolchain-7 (1:7.0.1-8~deb9u3) stretch; urgency=medium . * Disable the gold linker from s390x. * Bootstrap with -fno-addrsig, stretch's binutils doesn't work with it on mips64el. mariadb-10.1 (10.1.44-0+deb9u1) stretch; urgency=high . * SECURITY UPDATE: New upstream version 10.1.44. Includes fixes for the following security vulnerabilities: - CVE-2020-2574 * Previous upstream version 10.1.43 includes a fix for a regression introduced in the previous release: - MDEV-20987: InnoDB fails to start when FTS table has FK relation * Previous release 10.1.42 includes fix for the following security vulnerability: - CVE-2019-2974 mediawiki (1:1.27.7-1~deb9u3) stretch-security; urgency=medium . * Fix CVE-2019-19709, backported from upstream * Disable personal and sitewide CSS/JS on Special:PasswordReset as a hardening measure, backported from upstream mediawiki (1:1.27.7-1~deb9u2) stretch-security; urgency=medium . * Fix CVE-2019-16738, backported from upstream monit (1:5.20.0-6+deb9u1) stretch; urgency=medium . * Implement position independent CSRF cookie value (Closes: #941895). netty (1:4.1.7-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Correctly handle whitespaces in HTTP header names as defined by RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266) nghttp2 (1.18.1-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2019-9511 and CVE-2019-9513 node-fstream (1.0.10-1+deb9u1) stretch; urgency=medium . * Team upload * Clobber a Link if it's in the way of a File (Closes: #931408, CVE-2019-13173) node-mixin-deep (1.1.3-1+deb9u1) stretch; urgency=medium . * Team upload * Fix prototype polution (Closes: #898315, CVE-2018-3719) * Fix prototype pollution (Closes: #932500, CVE-2019-10746) nodejs-mozilla (8.11.1~dfsg-2~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport to stretch as nodejs-mozilla, to be used for Firefox ESR 68. * Use internal libuv, http-parser and c-ares as the ones in stretch are too old. * disable-expired-cert-test.patch: disable a test case that fails due to an expired test certificate. * fix-openssl-error-string.patch: update a test expected output for openssl 1.1.0j. nvidia-graphics-drivers-legacy-340xx (340.108-3~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers-legacy-340xx (340.108-3~deb10u1) buster; urgency=medium . * Rebuild for buster. . nvidia-graphics-drivers-legacy-340xx (340.108-3) unstable; urgency=medium . * Bump Standards-Version to 4.5.0. No changes needed. . nvidia-graphics-drivers-legacy-340xx (340.108-2) unstable; urgency=medium . * Restore kmem_cache_create_usercopy.patch. (Closes: #948032, #948195) * Add NEWS entry w.r.t. EoL state. * Use substitution to keep Standards-Version in sync (430.64-5). . nvidia-graphics-drivers-legacy-340xx (340.108-1) unstable; urgency=medium . * The 340.xx legacy driver series has been declared as End-of-Life by NVIDIA. No further updates fixing security issues, critical bugs, or adding support for new Xorg or Linux releases will be issued. https://nvidia.custhelp.com/app/answers/detail/a_id/3142 . * New upstream legacy 340xx branch release 340.108 (2019-12-23). - Updated the nvidia-drm kernel module for compatibility with the removal of the DRIVER_PRIME flag in recent Linux kernel versions. - Updated nvidia-bug-report.sh to search the systemd journal for gdm-x-session logs. - Fixed a build failure, "too many arguments to function 'get_user_pages'", when building the NVIDIA kernel module for Linux kernel v4.4.168. - Fixed a build failure, "implicit declaration of function do_gettimeofday", when building the NVIDIA kernel module for Linux kernel 5.0 release candidates. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add buildfix_kernel_4.11.patch (replacing vm-fault.patch) and (parts of) buildfix_kernel_5.2.patch from Ubuntu to fix more vm-fault issues during kernel module build for Linux 5.2+. * Refresh patches. * Allow alternative libnvidia-{tesla,legacy-*}-cuda1 packages to substitute libcuda1 in third-party packages (430.64-3). - Add Provides: libcuda.so.1 (= ${nvidia:Version}). - Generate alternative versioned dependency on libcuda.so.1 through the symbols file. . nvidia-graphics-drivers-legacy-340xx (340.107-8) unstable; urgency=medium . * Create and commit tarball symlinks for legacy branches (430.64-1). * Allow alternative libnvidia-{tesla,legacy-*}-ml1 packages to substitute libnvidia-ml1 (430.64-2). - Add Provides: libnvidia-ml.so.1 (= ${nvidia:Version}). - Generate alternative versioned dependency on libnvidia-ml.so.1 through the symbols file. * Add buildfix_kernel_5.4.patch from Ubuntu to fix kernel module build for Linux 5.4. (Closes: #946137) . nvidia-graphics-drivers-legacy-340xx (340.107-7) unstable; urgency=medium . * Add buildfix_kernel_5.3.patch from Ubuntu to fix kernel module build for Linux 5.3. (Closes: #941788) * Bump Standards-Version to 4.4.1. No changes needed. . nvidia-graphics-drivers-legacy-340xx (340.107-6) unstable; urgency=medium . * Add conftest-include-guard.patch to restore compatibility with older kernels. . nvidia-graphics-drivers-legacy-340xx (340.107-5) unstable; urgency=medium . * Add buildfix_kernel_4.11.patch (replacing vm-fault.patch), buildfix_kernel_5.0.patch, buildfix_kernel_5.2.patch from Ubuntu to fix kernel module build for Linux 5.2. (Closes: #934295, #923815) * Bump Standards-Version to 4.4.0. No changes needed. . nvidia-graphics-drivers-legacy-340xx (340.107-4) unstable; urgency=medium . * use-nv-kernel-ARCH.o_shipped.patch: Simplify for better kernel compatibility. (Closes: #922479) * Drop versioned constraints that are satisfied in wheezy (390.87-7). * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-graphics-drivers-legacy-340xx (340.107-3) unstable; urgency=medium . * Synchronize the module build debhelper sequence with debhelper 10 (390.87-1). * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1 (390.87-3). * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere (390.87-3). * Clean up and unify rule style in debian/rules (390.87-3). * Bump Standards-Version to 4.2.1. No changes needed. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend (390.87-3). * Refresh patches. . nvidia-graphics-drivers-legacy-340xx (340.107-2) unstable; urgency=high . * Backport kmem_cache_create_usercopy.patch from 390.67-2 for the 340.xx series, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #899998) . nvidia-graphics-drivers-legacy-340xx (340.107-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.107 (2018-06-06). - Added support for X.Org xserver ABI 24 (xorg-server 1.20). - Improved nvidia-bug-report.sh to check for kern.log which is the default kernel log-file location for many Debian-based Linux distributions. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Bump Standards-Version to 4.1.4. No changes needed. * Add xorg-video-abi-24 (xserver 1.20) as alternative dependency. (Closes: #900789, #900338) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that (390.67-1). nvidia-graphics-drivers-legacy-340xx (340.108-2) unstable; urgency=medium . * Restore kmem_cache_create_usercopy.patch. (Closes: #948032, #948195) * Add NEWS entry w.r.t. EoL state. * Use substitution to keep Standards-Version in sync (430.64-5). nvidia-graphics-drivers-legacy-340xx (340.108-2~bpo10+1) buster-backports; urgency=medium . * Rebuild for buster-backports. nvidia-graphics-drivers-legacy-340xx (340.108-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.108 (2019-12-23). - Updated the nvidia-drm kernel module for compatibility with the removal of the DRIVER_PRIME flag in recent Linux kernel versions. - Updated nvidia-bug-report.sh to search the systemd journal for gdm-x-session logs. - Fixed a build failure, "too many arguments to function 'get_user_pages'", when building the NVIDIA kernel module for Linux kernel v4.4.168. - Fixed a build failure, "implicit declaration of function do_gettimeofday", when building the NVIDIA kernel module for Linux kernel 5.0 release candidates. * Improved compatibility with recent Linux kernels. . [ Andreas Beckmann ] * Add buildfix_kernel_4.11.patch (replacing vm-fault.patch) and (parts of) buildfix_kernel_5.2.patch from Ubuntu to fix more vm-fault issues during kernel module build for Linux 5.2+. * Refresh patches. * Allow alternative libnvidia-{tesla,legacy-*}-cuda1 packages to substitute libcuda1 in third-party packages (430.64-3). - Add Provides: libcuda.so.1 (= ${nvidia:Version}). - Generate alternative versioned dependency on libcuda.so.1 through the symbols file. nvidia-graphics-drivers-legacy-340xx (340.107-8) unstable; urgency=medium . * Create and commit tarball symlinks for legacy branches (430.64-1). * Allow alternative libnvidia-{tesla,legacy-*}-ml1 packages to substitute libnvidia-ml1 (430.64-2). - Add Provides: libnvidia-ml.so.1 (= ${nvidia:Version}). - Generate alternative versioned dependency on libnvidia-ml.so.1 through the symbols file. * Add buildfix_kernel_5.4.patch from Ubuntu to fix kernel module build for Linux 5.4. (Closes: #946137) nvidia-graphics-drivers-legacy-340xx (340.107-7) unstable; urgency=medium . * Add buildfix_kernel_5.3.patch from Ubuntu to fix kernel module build for Linux 5.3. (Closes: #941788) * Bump Standards-Version to 4.4.1. No changes needed. nvidia-graphics-drivers-legacy-340xx (340.107-6) unstable; urgency=medium . * Add conftest-include-guard.patch to restore compatibility with older kernels. nvidia-graphics-drivers-legacy-340xx (340.107-5) unstable; urgency=medium . * Add buildfix_kernel_4.11.patch (replacing vm-fault.patch), buildfix_kernel_5.0.patch, buildfix_kernel_5.2.patch from Ubuntu to fix kernel module build for Linux 5.2. (Closes: #934295) * Bump Standards-Version to 4.4.0. No changes needed. nvidia-graphics-drivers-legacy-340xx (340.107-4) unstable; urgency=medium . * use-nv-kernel-ARCH.o_shipped.patch: Simplify for better kernel compatibility. (Closes: #922479) * Drop versioned constraints that are satisfied in wheezy (390.87-7). * Bump Standards-Version to 4.3.0. No changes needed. nvidia-graphics-drivers-legacy-340xx (340.107-3) unstable; urgency=medium . * Synchronize the module build debhelper sequence with debhelper 10 (390.87-1). * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1 (390.87-3). * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere (390.87-3). * Clean up and unify rule style in debian/rules (390.87-3). * Bump Standards-Version to 4.2.1. No changes needed. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Refresh patches. nvidia-graphics-drivers-legacy-340xx (340.107-2) unstable; urgency=high . * Backport kmem_cache_create_usercopy.patch from 390.67-2 for the 340.xx series, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #899998) nvidia-graphics-drivers-legacy-340xx (340.107-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers-legacy-340xx (340.107-2) unstable; urgency=high . * Backport kmem_cache_create_usercopy.patch from 390.67-2 for the 340.xx series, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #899998) . nvidia-graphics-drivers-legacy-340xx (340.107-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.107 (2018-06-06). - Added support for X.Org xserver ABI 24 (xorg-server 1.20). - Improved nvidia-bug-report.sh to check for kern.log which is the default kernel log-file location for many Debian-based Linux distributions. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Bump Standards-Version to 4.1.4. No changes needed. * Add xorg-video-abi-24 (xserver 1.20) as alternative dependency. (Closes: #900789, #900338) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. nvidia-graphics-drivers-legacy-340xx (340.107-1) unstable; urgency=medium . * New upstream legacy 340xx branch release 340.107 (2018-06-06). - Added support for X.Org xserver ABI 24 (xorg-server 1.20). - Improved nvidia-bug-report.sh to check for kern.log which is the default kernel log-file location for many Debian-based Linux distributions. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Bump Standards-Version to 4.1.4. No changes needed. * Add xorg-video-abi-24 (xserver 1.20) as alternative dependency. (Closes: #900789, #900338) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. nvidia-graphics-drivers-legacy-340xx (340.106-2) unstable; urgency=medium . * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description (384.111-4). * Update lintian overrides. nyancat (1.5.1-1+build1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . nyancat (1.5.1-1+build1) unstable; urgency=medium . * Non-maintainer upload. * No-change rebuild in a clean environment to add the systemd unit for nyancat-server. (Closes: #947292) openconnect (7.08-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Close HTTPS connection on failure returns from process_http_response() * Fix buffer overflow with chunked HTTP handling (CVE-2019-16239) (Closes: #940871) opendmarc (1.3.2-2+deb9u2) stretch-security; urgency=high . * CVE-2019-16378: https://github.com/trusteddomainproject/OpenDMARC/pull/48 to address incorrect DMARC pass results with multi-from mail (Closes: #940081) openjdk-8 (8u232-b09-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security openjdk-8 (8u232-b07-2) unstable; urgency=medium . * Update to 8u232-b07 (early access build). . [ Matthias Klose ] * Refresh patches. * openjdk-8-jdk-headless: Add Breaks/Replaces for moved clhsdb binary. LP: #1845873. * debian/tests/control: Depend on g++ instead of build-essential or libc6-dev. * Bump standards vesion. . [ Tiago Stürmer Daitx ] * Improve and fix build tests and autopkgtests: - Update debian/tests/hotspot,jdk,langtools to ignore jtreg-autopkgtest.sh return code. - Create debian/tests/jtdiff-autopkgtest.in as it depends on debian/rules variables. - debian/control.in, debian/control: add default-jre-headless to Build-Depends with a nocheck clause as jtreg requires a JRE in /usr/lib/jvm/default-java. - debian/tests/control: + Add zip and unzip test dependencies required by jdk's test/sun/security/tools/jarsigner/diffend.sh and test/sun/security/tools/jarsigner/emptymanifest.sh. + Depend on default-jre-headless so jtreg will use the JRE from /usr/lib/jvm/default-java. - debian/tests/jtdiff-autopkgtest.sh: + Fail only if an actual regression is detected. + Add the super-diff comparison from jtdiff. + Save failed jtr files for all runs. - debian/tests/jtreg-autopkgtest.sh: + Enable retry of failed tests to trim out flaky tests. + Fix unbound variable. + Keep .jtr files from failed tests only. - debian/patches/jdk-problem-list.diff: ignore failing tests that require more investigation. - debian/rules: + Preserve all JTreport directories in the test output directory. + Use JDK_DIR instead of JDK_TO_TEST for autopkgtest generation. + Package all .jtr files from JTwork as jtreg-autopkgtest.sh makes sure it contains only failed tests. * debian/tests/jdk: add our custom debian/tests/jdk-problem-list.txt to the exclusion list. * debian/tests/jdk-problem-list.txt: custom exclusion rules for jdk tests that fail to run during a build or autopkgtest run. * debian/rules: remove debian/patches/jdk-problem-list.diff. * debian/patches/jdk-problem-list.diff: jtreg allows for extra exclusion files thus there's no need to patch upstream's exclusion list. * debian/tests/control: mark all autopkgtests as flaky. * debian/tests/hotspot-archs: generated by debian/rules, contains a list of archs that supports a hotspot vm. * debian/tests/jdk: run only when the host arch is a hotspot vm - allow override through an environment variable. * debian/rules: update gen-autopkgtests to echo supported hotspot archs. openjdk-8 (8u232-b07-1) unstable; urgency=medium . * Update to 8u232-b07 (early access build). . [ Matthias Klose ] * Refresh patches. * openjdk-8-jdk-headless: Add Breaks/Replaces for moved clhsdb binary. LP: #1845873. * debian/tests/control: Depend on g++ instead of build-essential or libc6-dev. * Bump standards vesion. . [ Tiago Stürmer Daitx ] * Improve and fix build tests and autopkgtests: - Update debian/tests/hotspot,jdk,langtools to ignore jtreg-autopkgtest.sh return code. - Create debian/tests/jtdiff-autopkgtest.in as it depends on debian/rules variables. - debian/control.in, debian/control: add default-jre-headless to Build-Depends with a nocheck clause as jtreg requires a JRE in /usr/lib/jvm/default-java. - debian/tests/control: + Add zip and unzip test dependencies required by jdk's test/sun/security/tools/jarsigner/diffend.sh and test/sun/security/tools/jarsigner/emptymanifest.sh. + Depend on default-jre-headless so jtreg will use the JRE from /usr/lib/jvm/default-java. - debian/tests/jtdiff-autopkgtest.sh: + Fail only if an actual regression is detected. + Add the super-diff comparison from jtdiff. + Save failed jtr files for all runs. - debian/tests/jtreg-autopkgtest.sh: + Enable retry of failed tests to trim out flaky tests. + Fix unbound variable. + Keep .jtr files from failed tests only. - debian/patches/jdk-problem-list.diff: ignore failing tests that require more investigation. - debian/rules: + Preserve all JTreport directories in the test output directory. + Use JDK_DIR instead of JDK_TO_TEST for autopkgtest generation. + Package all .jtr files from JTwork as jtreg-autopkgtest.sh makes sure it contains only failed tests. * debian/tests/jdk: add our custom debian/tests/jdk-problem-list.txt to the exclusion list. * debian/tests/jdk-problem-list.txt: custom exclusion rules for jdk tests that fail to run during a build or autopkgtest run. * debian/rules: remove debian/patches/jdk-problem-list.diff. * debian/patches/jdk-problem-list.diff: jtreg allows for extra exclusion files thus there's no need to patch upstream's exclusion list. * debian/tests/control: mark all autopkgtests as flaky. * debian/tests/hotspot-archs: generated by debian/rules, contains a list of archs that supports a hotspot vm. * debian/tests/jdk: run only when the host arch is a hotspot vm - allow override through an environment variable. * debian/rules: update gen-autopkgtests to echo supported hotspot archs. openjdk-8 (8u232-b04-1) experimental; urgency=medium . * Update to 8u232-b04 (early access build). * Refresh patches. openjdk-8 (8u222-b10-1) unstable; urgency=high . * Update to 8u222-b10 (except for AArch32, updated to b08). - Security fixes: - S8191073: JpegImageReader throws IndexOutOfBoundsException when trying to read image data from tables-only image. - S8208698, CVE-2019-2745: Improved ECC Implementation. - S8212328, CVE-2019-2762: Exceptional throw cases. - S8213431, CVE-2019-2766: Improve file protocol handling. - S8213432, CVE-2019-2769: Better copies of CopiesList. - S8216381, CVE-2019-2786: More limited privilege usage. - S8217563: Improve realm maintenance. - S8218863: Better endpoint checks. - S8218873: Improve JSSE endpoint checking. - S8218876, CVE-2019-7317: Improve PNG support options. - S8219018: Adjust positions of glyphs. - S8219020: Table alternate substitutions. - S8219775: Certificate validation improvements. - S8220192: Better outlook for SecureRandom. - S8220517: Enhanced GIF support. - S8221518, CVE-2019-2816: Normalize normalization. - S8223511, CVE-2019-2842: Extended AES support. . [ Matthias Klose ] * Bump standards version. . [ Tiago Stürmer Daitx ] * Backport fix for S8223511 for AArch32. openjpeg2 (2.1.2-1.1+deb9u4) stretch; urgency=medium . * Non-maintainer upload. * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile (Closes: #939553). * CVE-2018-20847: improper computation of values in the function opj_get_encoding_parameters, leading to an integer overflow (Closes: #931294). * CVE-2016-9112: floating point exception or divide by zero in the function opj_pi_next_cprl (Closes: #844551). opensmtpd (6.0.2p1-2+deb9u2) stretch-security; urgency=high . * Fix following vulnerability, 018_smtpd_tls.patch.sig: smtpd can crash on opportunistic TLS downgrade, causing a denial of service. opensmtpd (6.0.2p1-2+deb9u1) stretch-security; urgency=high . * Fix privilege escalation vulnerability, 019_smtpd_exec.patch.sig. An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user. (Closes: #950121) (CVE-2020-7247) openssl (1.1.0l-1~deb9u1) stretch-security; urgency=medium . * Import 1.1.0l - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP construction). - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey). openssl1.0 (1.0.2u-1~deb9u1) stretch-security; urgency=medium . * Import 1.0.2u - CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure). openssl1.0 (1.0.2t-1~deb9u1) stretch-security; urgency=medium . * Import 1.0.2t - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP construction). - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey). pam-python (1.0.6-1.1+deb9u1) stretch-security; urgency=high . * Backport fix CVE-2019-16729 backport from 1.0.7. pam-python (1.0.6-1.1) unstable; urgency=medium . * Non-maintainer upload. * Fix build with glibc 2.26, thanks to Adrian Bunk (Closes: #887750). * Fix build with GCC 8 perl (5.24.1-3+deb9u6) stretch; urgency=medium . * Add backported Time-Local patch by Bernhard M. Wiedemann fixing test failures from the year 2020 onwards. Thanks to Dean Hamstead. (Closes: #915209) php-horde (5.2.13+debian0-1+deb9u1) stretch; urgency=high . * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block. php-imagick (3.4.3~rc2-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Out-of-bounds write to memory in ImagickKernel::fromMatrix() (CVE-2019-11037) (Closes: #928420) php7.0 (7.0.33-0+deb9u6) stretch-security; urgency=medium . * Backported from 7.1.33 - FPM: . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043) php7.0 (7.0.33-0+deb9u5) stretch-security; urgency=medium . * Backported security fixes from PHP 7.1.29: - EXIF: . Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG). - Mail: . Fixed bug #77821 (Potential heap corruption in TSendMail()). * Backported from 7.1.30 - EXIF: . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). (CVE-2019-11040) - GD: . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). (CVE-2019-11038) - Iconv: . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow). (CVE-2019-11039). - SQLite: . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). * Backported from 7.1.31 - EXIF: . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042) . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) - Phar: . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). - SQLite: . Upgraded to SQLite 3.28.0. * Backported from 7.1.32 - mbstring: . Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe) - pcre: . Fixed bug #75457 (heap use-after-free in pcrelib) postfix (3.1.14-0+deb9u1) stretch; urgency=medium . [Wietse Venema] . * 3.1.13 - Bugfix (introduced: Postfix 2.3): a censoring filter broke multiline Milter responses for header/body events. Problem report by Andreas Thienemann. Files: util/printable.c, util/stringops.h, smtpd/smtpd.c - Workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With "tls_fast_shutdown_enable = yes" (the default), Postfix no longer waits for the TLS peer to respond to a TLS 'close' request. This is recommended with TLSv1.0 and later. Files: global/mail_params.h, tls/tls_session.c, and documentation. - Bugfix (introduced: Postfix 3.0): the code to reset Postfix SMTP server command counts was not called after a HaProxy handshake failure, causing stale numbers to be reported. The command counts are now reset in the function that reports the counts. File: smtpd/smtpd.c * 3.1.14 - Bugfix: the documentation said tls_fast_shutdown_enable, but the code said tls_fast_shutdown. Viktor Dukhovni. Changed the code because no-one is expected to override the default. File: global/mail_params.h. - Workaround for poor TCP loopback performance on LINUX, where getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment size that is 1/2 to 1/3 of the MTU. For example, with kernel 5.1.16-300.fc30.x86_64 the TCP client and server announce an mss of 65495 in the TCP handshake, but getsockopt() returns 32741 (less than half). As a matter of principle, Postfix won't turn on client-side TCP_NODELAY because that hides application performance bugs, and because that still suffers from server-side delayed ACKs. Instead, Postfix avoids sending "small" writes back-to-back, by choosing a VSTREAM buffer size that is a multiple of the reported MSS. This workaround bumps the multiplier from 2x to 4x. File: util/vstream_tweak.c. - Bugfix (introduced: 20051222): the Dovecot client could segfault (null pointer read) or cause an SMTP server assertion to fail when talking to a fake Dovecot server. The client now logs a proper error instead. Problem reported by Tim Düsterhus. File: xsasl/xsasl_dovecot_server.c. - Bitrot: don't invoke SSL_shutdown() when the SSL engine thinks it is processing a TLS handshake. The commit at https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59 changed the error status, incompatibly, from SSL_ERROR_NONE into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c. - Bugfix (introduced: Postfix-2.9.0): null pointer read, while logging a warning after a postscreen_command_filter read error. File: postscreen/postscreen_smtpd.c. postgresql-9.6 (9.6.16-0+deb9u1) stretch; urgency=medium . * New upstream version. postgresql-common (181+deb9u3) stretch-security; urgency=medium . * pg_ctlcluster: Drop privileges before creating socket and stats temp directories outside /var/run/postgresql. The default configuration is not affected by this change. Users with directories on volatile storage (tmpfs) in other locations have to make sure the parent directory is writable for the cluster owner. (CVE-2019-3466, discovered by Rich Mirch) proftpd-dfsg (1.3.5b-4+deb9u3) stretch; urgency=medium . * Cherry pick patch from upstream: - for upstream bug #861 (CVE-2019-19269) (Closes: #946345) Patch named upstream_pull_861_CVE-2019-19269 proftpd-dfsg (1.3.5b-4+deb9u2) stretch-security; urgency=high . * Add patch from upstream to address CVE-2019-18217. (Closes: #942831) prosody-modules (0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1) stretch-security; urgency=medium . * fix for CVE-2020-8086 pykaraoke (0.7.5-1.2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix path to fonts. (Closes: #948385) python-acme (0.28.0-1~deb9u2) stretch; urgency=medium . * This stretch update is to switch to using a POST-as-GET protocol before the November 1, 2019 deadline when Let's Encrypt will begin refusing requests using the (old) GET protocol. (Closes: #932248) python-apt (1.4.1) stretch-security; urgency=high . * SECURITY UPDATE: Check that repository is trusted before downloading files from it (LP: #1858973) - apt/cache.py: Add checks to fetch_archives() and commit() - apt/package.py: Add checks to fetch_binary() and fetch_source() - CVE-2019-15796 * SECURITY UPDATE: Do not use MD5 for verifying downloadeds (Closes: #944696) (#LP: #1858972) - apt/package.py: Use all hashes when fetching packages, and check that we have trusted hashes when downloading - CVE-2019-15795 * To work around the new checks, the parameter allow_unauthenticated=True can be passed to the functions. It defaults to the value of the APT::Get::AllowUnauthenticated option. * Cherry-pick "add pkgsrcrecord.Files.{hashes,size,path,type} getters" to enable apt_pkg.SourceRecords to return objects with such getters instead of just tuples (providing tuple-style backward compatibility). * Automatic changes and fixes for external regressions: - Adjustments to test suite and CI to fix CI regressions - testcommon: Avoid reading host apt.conf files - Automatic mirror list update python-cryptography (1.7.1-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Ignore test_load_ecdsa_no_named_curve in the testsuite because it known to break with newer openssl (Closes: #940547). python-django (1:1.10.7-2+deb9u7) stretch-security; urgency=high . * CVE-2019-19844: Prevent a potential account hijack via the password reset form. (Closes: #946937) python-ecdsa (0.13-2+deb9u1) stretch-security; urgency=high . * Add patch for strict error checking in DER decoding integers. Fix: - CVE-2019-14853 - CVE-2019-14859 python-flask-rdf (0.2.0-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. * Add (Build-)Depends on python{3,}-rdflib. (Closes: #896358, #896385) . python-flask-rdf (0.2.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Fix the missing dependencies in python3-flask-rdf. (Closes: #867429) python-pgmagick (0.6.4-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport upstream FTBFS fix to handle version detection of graphicsmagick security updates that identify themself as version 1.4. python-werkzeug (0.11.15+dfsg1-1+deb9u1) stretch; urgency=medium . * Unique debugger PIN in Docker containers (Closes: #940935, CVE-2019-14806) redmine (3.3.1-4+deb9u3) stretch-security; urgency=high . * Fix CVE-2019-17427: persistent XSS exists due to textile formatting errors. * Fix CVE-2019-18890: SQL injection vulnerability ros-ros-comm (1.12.6-2+deb9u2) stretch; urgency=medium . * Add https://github.com/ros/ros_comm/pull/1741 (Fix CVE-2019-13445) ros-ros-comm (1.12.6-2+deb9u1) stretch; urgency=high . * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566) ruby-encryptor (3.0.0-1+deb9u1) stretch; urgency=medium . * Team upload * Ignore test failures (Its only reverse dependency is ruby-attr-encrypted which handles this correctly, all of its tests pass) (Closes: #880276) ruby-loofah (2.0.3-2+deb9u3) oldstable-security; urgency=high . * Team upload . * debian/patches - add 0005-Fix-CVE-2019-15587.patch (Closes: #942894) (CVE-2019-15587) ruby2.3 (2.3.3-1+deb9u7) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix for wrong fnmatch patttern (CVE-2019-15845) * Loop with String#scan without creating substring (CVE-2019-16201) * WEBrick: prevent response splitting and header injection (CVE-2019-16254) * lib/shell/command-processor.rb (Shell#[]): prevent unknown command (CVE-2019-16255) rust-cbindgen (0.8.7-1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport to stretch. * Vendor all the dependencies as they are not available on stretch. * Require a new version of cargo for the cargo wrapper. rust-cbindgen (0.8.3-1) experimental; urgency=medium . * Package cbindgen 0.8.3 from crates.io using debcargo 2.2.10 rust-cbindgen (0.8.2-1) experimental; urgency=medium . * Package cbindgen 0.8.2 from crates.io using debcargo 2.2.10 rust-cbindgen (0.8.0-1) unstable; urgency=medium . * Package cbindgen 0.8.0 from crates.io using debcargo 2.2.10 * Remove relax-serde-dep.diff as it isn't necessary anymore rust-cbindgen (0.7.1-1) unstable; urgency=medium . * Package cbindgen 0.7.1 from crates.io using debcargo 2.2.10 rust-cbindgen (0.6.8-1) unstable; urgency=medium . * Package cbindgen 0.6.8 from crates.io using debcargo 2.2.9 rust-cbindgen (0.6.7-2) unstable; urgency=medium . * Package cbindgen 0.6.7 from crates.io using debcargo 2.2.9 * Import a patch from Emilio to build with sync 0.15 (Closes: #917317) * Run the testsuiteo rust-cbindgen (0.6.7-1) unstable; urgency=medium . * Package cbindgen 0.6.7 from crates.io using debcargo 2.2.8 * relax the syn dep to accept 0.15 (Closes: #915005) rust-cbindgen (0.6.6-1) unstable; urgency=medium . * Package cbindgen 0.6.6 from crates.io using debcargo 2.2.8 (Closes: #908312) rustc (1.34.2+dfsg1-1~deb9u1) stretch; urgency=medium . * Backport to stretch. * Bootstrap with upstream binaries. * Reduce debugging symbols on i386 to avoid FTBFS due to OOM. rustc (1.33.0+dfsg1-2) unstable; urgency=medium . * Add Fedora patches. * Bump i386 allowed test failures to 12. rustc (1.33.0+dfsg1-1) unstable; urgency=medium . * Upload to unstable. * Fix build on mips, flags needed whitespace massaging. * Drop obsolete patches. rustc (1.33.0+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. . [ Hiroaki Nakamura ] * Delete obsolete patch. . [ Sylvestre Ledru ] * Update compiler-rt patch. * Improve build-related docs a bit. rustc (1.32.0+dfsg1-3) unstable; urgency=medium . * Conditionally-apply u-compiletest.patch based on stage0 compiler. * Fix syntax error in d/rules compiletest check. rustc (1.32.0+dfsg1-2) unstable; urgency=medium . * More verbose logging during builds. * Fix compiletest compile error, and check log has at least 1 pass. rustc (1.32.0+dfsg1-1) unstable; urgency=medium . * New upstream release. rustc (1.32.0~beta.2+dfsg1-1~exp2) experimental; urgency=medium . * Note that this upstream version already Closes: #917191. * Backport other upstream fixes. (Closes: #916818, #917000, #917192). rustc (1.32.0~beta.2+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. * Drop obsolete d-sparc64-dont-pack-spans.patch rustc (1.31.0+dfsg1-2) unstable; urgency=medium . * Bump mips mipsel s390x allowed-failures to 24. rustc (1.31.0+dfsg1-1) unstable; urgency=medium . * Revert debuginfo patches, they're not ready yet. rustc (1.31.0+dfsg1-1~exp2) experimental; urgency=medium . * Drop redundant patches. * Fix line numbers in some test-case patches. * Backport an updated patch for gdb 8.2. rustc (1.31.0+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. rustc (1.31.0~beta.19+dfsg1-1~exp2) experimental; urgency=medium . * Filter LLVM build flags to not be stupid. rustc (1.31.0~beta.19+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. rustc (1.31.0~beta.4+dfsg1-1~exp2) experimental; urgency=medium . * Merge changes from Debian unstable. rustc (1.31.0~beta.4+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. * Drop old maintainers from Uploaders. rustc (1.30.0+dfsg1-2) unstable; urgency=medium . * Increase FAILURES_ALLOWED for mips mipsel to 20. * Set debuginfo-only-std = false for 32-bit powerpc architectures. rustc (1.30.0+dfsg1-1) unstable; urgency=medium . * Upload to unstable. (Closes: #881845) * Increase FAILURES_ALLOWED for mips architectures. * Set debuginfo-only-std = false for mips architectures. rustc (1.30.0+dfsg1-1~exp2) experimental; urgency=medium . * Disable debuginfo-gdb tests relating to enums. These will be fixed in an upcoming version, see upstream #54614 for details. rustc (1.30.0+dfsg1-1~exp1) experimental; urgency=medium . * Actually don't build docs in an arch-only build. * Add mips patch, hopefully closes #881845 but let's see. * New upstream release. rustc (1.30.0~beta.7+dfsg1-1~exp3) experimental; urgency=medium . * Do the necessary bookkeeping for the LLVM update. rustc (1.30.0~beta.7+dfsg1-1~exp2) experimental; urgency=medium . * Tweak test failure rules: armel <= 8, ppc64 <= 12. * Update to LLVM 7. rustc (1.30.0~beta.7+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. rustc (1.29.0+dfsg1-1) unstable; urgency=medium . * Upload to unstable. * Drop d-armel-disable-kernel-helpers.patch as a necessary part of the fix to #906520, so it is actually fixed. * Backport a patch to fix the rand crate on powerpc. (Closes: #909400) * Lower the s390x allowed failures back to 25. rustc (1.29.0+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. * Include patch for armel atomics. (Closes: #906520) * Update to latest Standards-Version; no changes required. rustc (1.28.0+dfsg1-3) unstable; urgency=medium . * Team upload. . [ Ximin Luo ] * More sparc64 fixes, and increase allowed-test-failures there to 180. . [ Julien Cristau ] * Don't use pentium4 as i686 baseline (closes: #908561) rustc (1.28.0+dfsg1-2) unstable; urgency=medium . * Switch on verbose-tests to restore the old pre-1.28 behaviour, and restore old failure-counting logic. * Allow 50 test failures on s390x, restored failure-counting logic avoids more double-counts. rustc (1.28.0+dfsg1-1) unstable; urgency=medium . * New upstream release. * Add patches from Fedora to fix some test failures. * Ignore a failure testing specific error output, under investigation. * Allow 100 test failures on s390x, should be reducible later with LLVM 7. * Temporary fix for mips64el bootstrap. * Be even more verbose during the build. * Update to latest Standards-Version. rustc (1.28.0~beta.14+dfsg1-1~exp2) experimental; urgency=medium . * Update test-failure counting logic. * Fix version constraints for Recommends: cargo. * Add patch to fix sparc64 CABI. rustc (1.28.0~beta.14+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. * Update to latest Standards-Version; no changes required. rustc (1.27.2+dfsg1-1) unstable; urgency=medium . [ Sylvestre Ledru ] * Update of the alioth ML address. . [ Ximin Luo ] * Fail the build if our version contains ~exp and we are not releasing to experimental, this has happened by accident a few times already. * Allow 36 and 44 test failures on armel and s390x respectively. * New upstream release. rustc (1.27.1+dfsg1-1~exp4) experimental; urgency=medium . * Unconditonally prune crate checksums to avoid having to manually prune them whenever we patch the vendored crates. rustc (1.27.1+dfsg1-1~exp3) experimental; urgency=medium . * Add patch from Fedora to fix rebuild against same version. rustc (1.27.1+dfsg1-1~exp2) experimental; urgency=medium . * Fix some failing tests. rustc (1.27.1+dfsg1-1~exp1) unstable; urgency=medium . * New upstream release. rustc (1.26.2+dfsg1-1) unstable; urgency=medium . * New upstream release. * Stop ignoring tests that now pass. * Don't ignore tests that still fail, instead raise FAILURES_ALLOWED. This allows us to see the test failures in the build logs, rather than hiding them. rustc (1.26.1+dfsg1-3+exp1) experimental; urgency=medium . * Unignore all tests that seem like they should pass, as an experiment. rustc (1.26.1+dfsg1-3) unstable; urgency=medium . * Fix build-dep version range to build against myself. rustc (1.26.1+dfsg1-2+exp1) experimental; urgency=medium . * Unignore all tests that seem like they should pass, as an experiment. rustc (1.26.1+dfsg1-1) unstable; urgency=medium . * New upstream release. rustc (1.26.0+dfsg1-1~exp4) experimental; urgency=medium . * Try alternative patch to ignore x86 stdsimd tests suggested by upstream. * Bump up allowed-test-failures to 8 to account for the fact that we're now double-counting some failures. rustc (1.26.0+dfsg1-1~exp3) experimental; urgency=medium . * Ignore some irrelevant tests on ppc64 and non-x86 platforms. rustc (1.26.0+dfsg1-1~exp2) experimental; urgency=medium . * Add Breaks+Replaces for older libstd-rust-dev with codegen-backends. (Closes: #899180) * Backport some test and packaging fixes from Ubuntu. rustc (1.26.0+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. * Update to latest Standards-Version; no changes required. * Update doc-base files. (Closes: #876831) rustc (1.25.0+dfsg1-2) unstable; urgency=medium . * Add patches for LLVM's compiler-rt to fix bugs on sparc64 and mips64. (Closes: #898982) * Install codegen-backends into rustc rather than libstd-rust-dev. (Closes: #899087) rustc (1.25.0+dfsg1-1) unstable; urgency=medium . * Upload to unstable. * Allow up to 15 test failures on s390x. * Set CARGO_INCREMENTAL=0 on sparc64. rustc (1.25.0+dfsg1-1~exp2) experimental; urgency=medium . * Install missing codegen-backends. rustc (1.25.0+dfsg1-1~exp1) experimental; urgency=medium . * New upstream release. * Update to LLVM 6.0. rustc (1.24.1+dfsg1-1) unstable; urgency=medium . * Upload to unstable. * Raise allowed-test-failures to 160 on some non-release arches: powerpc, powerpcspe, sparc64, x32. rustc (1.24.1+dfsg1-1~exp2) experimental; urgency=medium . * Steal some patches from Fedora to fix some test failures. * Update debian/patches/u-make-tests-work-without-rpath.patch to try to fix some more test failures. rustc (1.24.1+dfsg1-1~exp1) experimental; urgency=medium . * More sparc64 CABI fixes. (Closes: #888757) * New upstream release. * Note that s390x baseline was updated in the meantime. (Closes: #851150) * Include Debian-specific patch to disable kernel helpers on armel. (Closes: #891902) * Include missing build-dependencies for pkg.rustc.dlstage0 build profile. (Closes: #891022) * Add architecture.mk mapping for armel => armv5te-unknown-linux-gnueabi. (Closes: #891913) * Enable debuginfo-only-std on armel as well. (Closes: #891961) * Backport upstream patch to support powerpcspe. (Closes: #891542) * Disable full-bootstrap again to work around upstream #48319. safe-rm (0.12-2+deb9u1) stretch; urgency=medium . * Prevent installation in (and thereby breaking of) merged /usr environments. (See: #759410) simplesamlphp (1.14.11-1+deb9u2) stretch-security; urgency=high . * Update by the security team for stretch. * Fix security issue CVE-2019-3465 (closes: #944107). sorl-thumbnail (12.3+git20160928-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. . [ W. Martin Borgert ] * workaround a pgmagick exception (Closes: #902522) spamassassin (3.4.2-1~deb9u3) stretch-security; urgency=medium . * Security update to address - CVE-2020-1930. Arbitrary code execution via malicious rule files. - CVE-2020-1931. Arbitrary code execution via malicious rule files. (Closes: #950258) spamassassin (3.4.2-1~deb9u2) stretch-security; urgency=high . * Security update to address CVE-2018-11805. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. (Closes: 946652) * Security update to address CVE-2019-12420. Messages can be crafted in a way to use excessive resources, resulting in a denial of service. (Closes: 946653) spip (3.1.4-4~deb9u3) stretch-security; urgency=medium . * Backport security fixes from 3.1.11 - Critical security fix, allowing unidentified visitor to modify any published content and execute other modifications in database [CVE-2019-16391] - Other security fixes: + better sanitization on redirections [CVE-2019-16393] + don’t disclose if user exists when resetting password [CVE-2019-16394] + better error message sanitization on login page [CVE-2019-16392] - Update security screen to 1.3.12 * Add CVE ID to previous changelog entry sssd (1.15.0-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * sysdb: sanitize search filter input (CVE-2017-12173) (Closes: #877885) subversion (1.9.5-1+deb9u5) stretch-security; urgency=medium . * Non-maintainer upload. * Backport upstream fix for segfault with new mod_http2 from DSA-4509-1. Closes: #936034 sudo (1.8.19p1-2.1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix a buffer overflow when pwfeedback is enabled and input is a not a tty (CVE-2019-18634) (Closes: #950371) sudo (1.8.19p1-2.1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Treat an ID of -1 as invalid since that means "no change" (CVE-2019-14287) * Fix test failure in plugins/sudoers/regress/testsudoers/test5.sh symfony (2.8.7+dfsg-1.3+deb9u3) stretch-security; urgency=medium . * Backport security fixes from 2.8.52 - [HttpKernel] Use constant time comparison in UriSigner [CVE-2019-18887] - [HttpFoundation] fix guessing mime-types of files with leading dash [CVE-2019-18888] tcpdump (4.9.3-1~deb9u1) stretch-security; urgency=high . * New upstream release, with fixes for 24 different CVEs (closes: #941698). This is an upstream update on top of the 4.9.2-1~deb9u1 package. * Disable tests that require a newer libpcap version. tcpdump (4.9.3~git20190901-2) unstable; urgency=medium . * Disable failing IKEv2 test again to fix build on ppc64el. tcpdump (4.9.3~git20190901-1) unstable; urgency=low . * New upstream snapshot from the tcpdump-4.9 branch: + Includes fix for CVE-2017-16808 (closes: #881862). + Fixes ESP decryption on ppc64el (and others), re-enable tests. * Drop root privileges by default (closes: #935112): + debian/rules: Configure --with-user=tcpdump. + debian/tcpdump.post{inst,rm}: Create/delete a 'tcpdump' system group and user. + debian/control: Add dependency on adduser. + debian/patches/drop-privs-after-opening-savefile.diff: New patch (from Fedora) to drop root privileges *after* opening the savefile when possible, to alleviate possible inconvenience if the target directory is not writable by user tcpdump. + debian/patches/drop-privs-silently.diff: New patch (from Fedora) to drop root privileges silently. + debian/usr.sbin.tcpdump: Add chown capability, and update rules about device discovery. + debian/NEWS: Mention how to run tcpdump as root. * Bump Standards-Version to 4.4.0. tcpdump (4.9.2-3) unstable; urgency=medium . [ Jamie Strandboge ] * debian/usr.sbin.tcpdump: drop 'capability sys_module' since we already have 'net_admin' and network module loading (which happens with -D) is allowed with 'net_admin' (LP: #1759029) (closes: #894161) . [ Romain Francoise ] * Switch to debhelper compatibility level 11. * Bump Standards-Version to 4.1.3. tcpdump (4.9.2-2) unstable; urgency=medium . * Use new URLs on salsa.debian.org for Vcs-* fields. * Bump Standards-Version to 4.1.2. tcpdump (4.9.2-1) unstable; urgency=high . * New upstream release: + Fixes 86 new CVEs, see the upstream changelog for the full list. + Now supports OpenSSL 1.1, so move back to libssl-dev (closes: #859740). * Urgency high due to security fixes. thunderbird (1:68.4.1-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security thunderbird (1:68.3.1-1) unstable; urgency=medium . [ Emilio Pozuelo Monfort ] * [6f59313] Fix MOZ_BUILD_DATE to have the expected format . [ Carsten Schoenert ] * [5d0f4b1] d/rules: don't use SOURCE_DATE_EPOCH for MOZ_BUILD_DATE (Closes: #946588) * [1467af5] New upstream version 68.3.1 thunderbird (1:68.3.0-2) unstable; urgency=medium . * [0625d30] rebuild patch queue from patch-queue branch added patches: fixes/Bug-1531309-Don-t-use-__PRETTY_FUNCTION__-or-__FUNCTION__.patch fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch * [ea8d98c] Breaks: add versioned birdtray package thunderbird (1:68.3.0-2~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security [ Emilio Pozuelo Monfort ] * [de88895] Fix MOZ_BUILD_DATE to have the expected format (cherry-picked from debian/sid) . [ Carsten Schoenert ] * [a077b71] d/rules: don't use SOURCE_DATE_EPOCH for MOZ_BUILD_DATE (cherry-picked from debian/sid) (Closes: #946588) thunderbird (1:68.3.0-2~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security thunderbird (1:68.3.0-1) unstable; urgency=medium . * [fe289ec] /u/b/thunderbird: export variable DICPATH before start (Closes: #944295) * [a9a48c6] New upstream version 68.3.0 Fixed CVE issues in upstream version 68.3 (MFSA 2019-38): CVE-2019-17008: Use-after-free in worker destruction CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher CVE-2019-17009: Updater temporary files accessible to unprivileged processes CVE-2019-17010: Use-after-free when performing device orientation checks CVE-2019-17005: Buffer overflow in plain text serializer CVE-2019-17011: Use-after-free when retrieving a document in antitracking CVE-2019-17012: Memory safety bugs fixed in Firefox 71, Firefox ESR 68.3, and Thunderbird 68.3 * [fb23473] d/control: increase B-D version on NSS to 3.44.3 * [6f59938] Breaks: adding more non compatible packaged AddOns thunderbird (1:68.2.2-1) unstable; urgency=medium . * [198d539] xul-ext-compactheader: allow also version << 3.0.0 * [0e93753] d/control: add incompatibility with jsunit << 0.2.2 * [87c84cb] New upstream version 68.2.2 This upstream version has removed the source for calendar-google-provider, thus we can't provide the related binary package any more. * [a3cea2a] rebuild patch queue from patch-queue branch rebuild patch queue from patch-queue branch . removed patches (included upstream): debian/patches/fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch debian/patches/fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch debian/patches/fixes/Build-also-gdata-provider-as-xpi-file.patch debian/patches/fixes/rust-ignore-not-available-documentation.patch debian/patches/porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch debian/patches/porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch debian/patches/porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch debian/patches/porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch debian/patches/porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch * [1730f5f] d/control: remove references to calendar-google-provider Don't build calendar-google-provider any more and remove any references from other binary packages. * [1b0bbb8] d/rules: remove any calendar-google-provider stuff * [92f681c] thunderbird.NEWS: Adding hint about removal of gdata Give out an announcement about the removal of a possible previously installed package calendar-google-provider. thunderbird (1:68.2.2-1~deb10u1) stable-security; urgency=medium . * Rebuild for buster-security * [2c1bd00] d/mozconfig.default: use internal version of nspr, nss, sqlite and icu * [94d6ae4] d/control: remove lib{nspr4,nss3,sqlite3}-dev from B-D thunderbird (1:68.2.2-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security * [038dcd9] use nodejs-mozilla within stretch-security The package nodejs isn't available for stretch, but nodejs-mozilla is usable. Thanks for backporting! * [4bdcd39] d/mozconfig.default: remove option for hunspell Thunderbird 68 isn't using external (or internal) hunspell features any more. This requires the usage of external dictionaries provided by AddOns. * [e368b15] d/mozconfig.default: remove doubled sqlite option Removed a doubled disabled option for libsqlite3, the merge from buster was bringing already this option as a disabled option. * [8ddc95c] use internal libvpx library within stretch-security Also libvpx is to old on stretch and we switch to the internal version from the Thunderbird source. thunderbird (1:68.2.1-1) unstable; urgency=medium . [ intrigeri ] * [c48e2cb] AppArmor: update profile from upstream at commit a27a1a5 (Closes: #941290) . [ Carsten Schoenert ] * [98497ae] New upstream version 68.2.0 Fixed CVE issues in upstream version 68.2 (MFSA 2019-35): CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber CVE-2019-11757: Use-after-free when creating index updates in IndexedDB CVE-2019-11758: Potentially exploitable crash due to 360 Total Security CVE-2019-11759: Stack buffer overflow in HKDF output CVE-2019-11760: Stack buffer overflow in WebRTC networking CVE-2019-11761: Unintended access to a privileged JSONView object CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2 (Closes: #925841) * [a104c51] d/control: increase Standards-Version to 4.4.1 * [6c9d012] xul-ext-dispmua: set current min usable version * [b3bf16f] New upstream version 68.2.1 * [8f89b90] d/control: decrease build architecture list Decreasing the current list of build architectures. Not meant to keep this forever, removed RC architectures needing support and volunteering to get them back. (Closes: #921258) thunderbird (1:68.1.2-1~exp1) experimental; urgency=medium . * [81f4144] xul-ext-compactheader: increase minimal usable version * [a815589] Update the global information about TB in Debian * [bb5f5f7] rebuild patch queue from patch-queue branch * [6fe7d3f] xul-ext-sogo-connector: increase minimal usable version * [2e29af5] New upstream version 68.1.2 thunderbird (1:68.1.1-1~exp1) experimental; urgency=medium . [ intrigeri ] * [3f49653] AppArmor: update profile from upstream at commit ed52e4a . [ Carsten Schoenert ] * [348f476] New upstream version 68.0~b5 * [2a2f101] New upstream version 68.1.1 Fixed CVE issues in upstream version 68.1 (MFSA 2019-20): CVE-2019-11711: Script injection within domain through inner window reuse CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects CVE-2019-11713: Use-after-free with HTTP/2 cached stream CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault CVE-2019-11715: HTML parsing error can contribute to content XSS CVE-2019-11716: globalThis not enumerable until accessed CVE-2019-11717: Caret character improperly escaped in origins CVE-2019-11719: Out-of-bounds read when importing curve25519 private key CVE-2019-11720: Character encoding XSS vulnerability CVE-2019-11721: Domain spoofing through unicode latin 'kra' character CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions CVE-2019-11725: Websocket resources bypass safebrowsing protections CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3 CVE-2019-11728: Port scanning through Alt-Svc header CVE-2019-11710: Memory safety bugs fixed in Firefox 68 and Thunderbird 68 CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and Thunderbird 68 . Fixed CVE issues in upstream version 68.1 (MFSA 2019-20): CVE-2019-11739: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message CVE-2019-11746: Use-after-free while manipulating video CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB CVE-2019-11743: Cross-origin access to unload event attributes CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 . Fixed CVE issues in upstream version 68.1.1 (MFSA 2019-32): CVE-2019-11755: Spoofing a message author via a crafted S/MIME message . * [9342624] rebuild patch queue from patch-queue branch added patches: debian-hacks/Set-program-name-from-the-remoting-name.patch debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch debian-hacks/Work-around-Debian-bug-844357.patch fixes/Allow-.js-preference-files-to-set-locked-prefs-with-lockP.patch fixes/Bug-1556197-amend-Bug-1544631-for-fixing-mips32.patch fixes/Bug-1560340-Only-add-confvars.sh-as-a-dependency-to-confi.patch porting-armhf/Bug-1526653-Include-struct-definitions-for-user_vfp-and-u.patch . removed patch (fixed upstream): porting-mips/Fix-CPU_ARCH-test-for-libjpeg-on-mips.patch porting/Work-around-GCC-ICE-on-mips-i386-and-s390x.patch . * [25cb500] d/control: increase various versions in B-D * [ee5b713] d/control: remove B-D on librust-cbindgen-dev Use librust-toml-dev instead, we only need some files from this package, librust-cbindgen-dev is a metapackage which is broken while packaging. * [442a6b1] d/rules: work around cargo needs a HOME dir * [4894a4c] d/control: increase Standards-Version to 4.4.0 No further changes needed. * [bb47b68] d/control: update upstream homepage for Thunderbird Since some time Mozilla Thunderbird has a new homepage placed on URI https://www.thunderbird.net/ * [a3b680e] d/source.filter: update the filter sequences New Thunderbird upstream versions bringing some new unwanted files within the source. * [7290ff4] d/control: remove transitional lightning l10n packages The Lightning l10n packages moved into transitional packages before Buster was released, now after the Buster release removing these transitional packages. All required l10n files are available in the packages thunderbird-$(locale) even for Lightning. * [3d1d27d] enigmail: increase minimal usable version Thunderbird 68.x needs at least Enigmal in version 2.1, but increase the version on Enigmail to the most recent version which is released while packaging. * [66069d9] calendar-exchange-provider: removed from Breaks This package isn't alive in unstable and testing. * [3b9f936] d/control: remove Xb-Xul-AppId field Thunderbird don't has any Xul based AddOns since version 68.0 * [7d8cd7d] lintian-overrides: remove not needed overrides thunderbird (1:68.0~b1-1) experimental; urgency=medium . * [0eabe70] New upstream version 68.0~b1 * [2febf67] rebuild patch queue from patch-queue branch added patch: debian-hacks/Downgrade-SQlite-version-to-3.27.2.patch * [cfa5973] d/s/lintian-overrides: adjust overrides for needed files * [46077e2] d/copyright: update after upstream changes thunderbird (1:67.0~b3-1) experimental; urgency=medium . [ intrigeri ] * [9ad75ad] d/rules: drop useless usage of dpkg-parsechangelog . [ Carsten Schoenert ] * [d6f6747] New upstream version 67.0~b3 * [90f73be] rebuild patch queue from patch-queue branch removed patch: fixes/Bug-1515641-Turn-enable-av1-around.-r-nalexander.patch * [7dd5c54] d/control: increase various B-D versions Increasing the version for the build depending packages of cargo, cbindgen, libnspr4-dev, libnss3-dev, libsqlite3-dev and rustc. thunderbird (1:66.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [afe31d9] New upstream version 66.0~b1 * [4ec53cc] apparmor: update profile from upstream (commit 7ace41b1) (cherry-picked from debian/sid) * [b3657a0] d/rules: make dh_clean more robust Remove some regenerated files in dh_clean to the build will not fail in case the build needs to be started twice within the same build environment. (cherry-picked from debian/sid) * [dceb027] d/rules: move disable debug option into configure step Adding the option '--disable-debug-symbols' to the file mozconfig.default in case the build is running on a 32bit architecture instead of expanding the variable 'CONFIGURE_FLAGS'. The configuration approach for this option taken from firefox-esr was not working for the thunderbird package. (cherry-picked from debian/sid) * [f7f02a9] d/rules: reorder LDFLAGS for better readability Make the used additional options for LDFLAGS better readable by reordering the various used options. Also adding the option '-Wl, --as-needed' to the list of used options here. (cherry-picked from debian/sid) * [79801fb] d/rules: use 'compress-debug-sections' only on 64bit Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets use this option only if we are on a 64bit architecture as otherwise the build is failing on 32bit architectures again. We don't want to build any debug information on 32bit anyway so we don't need this option on these platforms. (cherry-picked from debian/sid) * [11f9e14] d/mozconfig.default: adding option for mipsel We don't have set up any options for the mipsel platform before, but the build needs some additional options too on this platform to succeed. (cherry-picked from debian/sid) * [e46e178] d/mozconfig.default: disable ion on mips and mipsel The build will fail on mips{,el} if we have enabled ION, the JavaScript JIT compiler on these platforms will loose some performance by this. (cherry-picked from debian/sid) . [ Alexander Nitsch ] * [31b87e9] Make the logo SVG square The original SVG source isn't completely square, modifying the SVG file so all generated other files from the input are also exactly square. * [c0f19a3] Add script for generating PNGs from logo SVG * [c153c5f] Update icon PNGs to be properly scaled . [ Carsten Schoenert ] * [c372e1f] d/source.filter: add some configure scripts Filter out some files that are named 'configure', they are rebuild later anyway. The filtering of these files is moved from gbp.conf to source.filter. (cherry-picked from debian/sid) * [a40c5df] d/c-lightning-l10n-t.sh: drop version checking Remove an old check for a version string within the file install.rdf. It's not created any more by upstream since > 60.0. * [05b325e] d/source.filter: don't ignore files in root folder Try to not ignore files which are in the top root folder of the upstream source tarball. * [d2ca267] rebuild patch queue from patch-queue branch added patch: fixes/Bug-1515641-Turn-enable-av1-around.-r-nalexander.patch . modified (refreshed) patches: porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-hurd.patch porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-kfreebsd.patch porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch porting-m68k/Add-m68k-support-to-Thunderbird.patch . removed patches (applied upstream): fixes/Fix-big-endian-build-for-SKIA.patch porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch * [cb1dde9] d/control: increase version in B-D for libsqlite3-dev * [54e8890] d/mozconfig.default: add new configure option We need to disable the usage of libav1 for an successful build. The used configure option was added by the new added patch to the patch queue. * [ecd3ade] d/copyright: update after upstream changes * [af58ed8] d/source.filter: add extra content to ignore thunderbird (1:65.0~b1-1) experimental; urgency=medium . * [e5956ef] Merge tag 'debian/1%60.4.0-1' into debian/experimental * [389748b] d/source.filter: adjust files to filter while repack Rework of the file filter list due new upstream version but also to no filter out files we obviously need later, e.g. for the omni.jar archive. * [4b86a78] New upstream version 65.0~b1 * [3db29ed] rebuild patch queue from patch-queue branch removed patches (fixed upstream): debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch debian-hacks/shellutil.py-ignore-tilde-as-special-character.patch fixes/Build-also-gdata-provider-as-xpi-file.patch fixes/Use-msse-2-fpmath-C-CXXFLAGS-only-on-x86_64-platforms.patch porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch . removed patches (dropped for Debian specific build): debian-hacks/Don-t-build-testing-suites-and-stuff.patch debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch adjusted patches: . debian-hacks/Add-another-preferences-directory-for-applications-p.patch debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch patches/fixes/Fix-big-endian-build-for-SKIA.patch (but currently disabled) porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch * [e918c6c] d/control: increase versions in B-D New Thunderbirds version typically need other packages available with higher versions like NSS, NSPR, rust ... Also adding cbindgen and nodejs()!!). * [b6c63bf] d/mozconfig.default: remove dead options More old configure option are now not available anymore and we need to drop them. * [0f959ad] remove GCC specific options LLVM's clang is now widely used, and clang isn't knowing the GCC options '-fno-schedule-insns2' and '-fno-lifetime-dse', removing these options from CFLAGS and CXXFLAGS. * [d0b1f4b] d/rules: work around about strong quotings in .mk files After the configuration of the source some Makefiles in the build folder 'obj-thunderbird' have a strong qouting on some entries. This will later provoke a build failure if we don't remove the single quotes before in the Makefiles. * [093053e] copyright: update after upstream changes * [95eaacf] d/s/lintian-overrides: adjust overrides for needed files thunderbird (1:60.9.0-1) unstable; urgency=medium . * [5f7ba31] New upstream version 60.9.0 Fixed CVE issues in upstream version 60.8.0 (MFSA 2019-29) CVE-2019-11746: Use-after-free while manipulating video CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB CVE-2019-11743: Cross-origin access to unload event attributes CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, and Thunderbird 60.9 thunderbird (1:60.9.0-1~deb10u1) buster-security; urgency=medium . * Rebuild for buster-security * [9802e1d] Revert "Use gcc-8 and g++-8 due broken build with GCC-9" thunderbird (1:60.9.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.8.0-2) unstable; urgency=medium . * [41e9047] d/rules: work around carge needs a HOME dir * [c67707c] Use gcc-8 and g++-8 due broken build with GCC-9 thunderbird (1:60.8.0-1) unstable; urgency=medium . * [49f4e91] New upstream version 60.8.0 Fixed CVE issues in upstream version 60.8.0 (MFSA 2019-23) CVE-2019-9811: Sandbox escape via installation of malicious language pack CVE-2019-11711: Script injection within domain through inner window reuse CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects CVE-2019-11713: Use-after-free with HTTP/2 cached stream CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault CVE-2019-11715: HTML parsing error can contribute to content XSS CVE-2019-11717: Caret character improperly escaped in origins CVE-2019-11719: Out-of-bounds read when importing curve25519 private key CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and Thunderbird 60.8 thunderbird (1:60.8.0-1~deb10u1) buster-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for buster-security tigervnc (1.7.0+dfsg-7+deb9u1) stretch; urgency=high . [ Joachim Falk ] * Fix CVE-2019-15691, CVE-2019-15692, CVE-2019-15693, CVE-2019-15694, and CVE-2019-15695 (Closes: #947428) tightvnc (1:1.3.9-9+deb9u1) stretch; urgency=medium . * Security upload. (Closes: #945364). * CVE-2014-6053: Check malloc() return value on client->server ClientCutText message. * CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write vulnerability inside structure in VNC client code. * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. * CVE-2018-20022: CWE-665: Improper Initialization vulnerability. * CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB. * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore server-sent reason strings longer than 1MB (see CVE-2018-20748/ libvncserver). * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name length received before allocating memory for it and limit it to 1MB. * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c. * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. tmpreaper (1.6.13+nmu1+deb9u2) stretch; urgency=medium . * Non-maintainer upload with maintainer approval. * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent breaking systemd services that have PrivateTmp=true (closes: #881725). tomcat-native (1.2.21-1~deb9u1) stretch-security; urgency=high . * Team upload. * Backport version 1.2.21 to Stretch. * Revert to compat level 10. tomcat-native (1.2.21-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat-native (1.2.19-1) unstable; urgency=medium . * Team upload. * New upstream release tomcat-native (1.2.18-1) unstable; urgency=medium . * Team upload. * New upstream release * Standards-Version updated to 4.2.1 tomcat-native (1.2.18-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat-native (1.2.17-1) unstable; urgency=medium . * Team upload. * New upstream release * Changed the priority from extra to optional * Standards-Version updated to 4.1.4 * Switch to debhelper level 11 * Use salsa.debian.org Vcs-* URLs tomcat-native (1.2.17-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat-native (1.2.16-1) unstable; urgency=medium . * Team upload. * New upstream release * Standards-Version updated to 4.1.3 tomcat-native (1.2.16-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat-native (1.2.14-1) unstable; urgency=medium . * Team upload. * New upstream release * Build with OpenSSL 1.1 (Closes: #859742) * Updated debian/README.Debian * Standards-Version updated to 4.1.0 tomcat8 (8.5.50-0+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2018-11784, CVE-2018-8014, CVE-2019-0199, CVE-2019-0221, CVE-2019-12418, CVE-2019-17563. Several security vulnerabilities were found in Tomcat 8 that may lead to denial-of-service or local privilege escalation. tomcat8 (8.5.39-1) experimental; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Track and download the new releases from GitHub tomcat8 (8.5.38-2) unstable; urgency=high . * Team upload. * Apply upstream patch to unbreak the startup script (Closes: #922863) tomcat8 (8.5.38-2~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports. * Team upload. . tomcat8 (8.5.38-2) unstable; urgency=high . * Team upload. * Apply upstream patch to unbreak the startup script (Closes: #922863) tomcat8 (8.5.38-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches tomcat8 (8.5.38-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.37-2) unstable; urgency=medium . * Team upload. * No longer build the JavaEE API packages * Standards-Version updated to 4.3.0 tomcat8 (8.5.37-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches tomcat8 (8.5.37-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.35-3) unstable; urgency=medium . * Team upload. * Split libservlet3.1-java into separate JavaEE API packages (libjsp-api-java, libel-api-java and libwebsocket-api-java) * Updated the version required for libtcnative-1 (>= 1.2.18) * Install the Russian translation added in Tomcat 8.5.33 tomcat8 (8.5.35-2) unstable; urgency=medium . * Team upload. * Fixed the build failure with Easymock 4 (Closes: #913402) tomcat8 (8.5.35-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.35-1) unstable; urgency=medium . * Team upload. . [ Thomas Opfer ] * Removed old version requirement for package ant-optional that is not required any more. . [ Emmanuel Bourg ] * New upstream release - Refreshed the patches tomcat8 (8.5.34-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches tomcat8 (8.5.34-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.33-1) unstable; urgency=medium . * Team upload. * New upstream version 8.5.33. - Tomcat compiles to Java 7 bytecode and passes release=7 to javac now. This ensures backwards compatibility with older JREs. (Closes: #906447) * Declare compliance with Debian Policy 4.2.1. * Refresh 0025-invalid-configuration-exit-status.patch. tomcat8 (8.5.33-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.32-2) unstable; urgency=medium . * Team upload. * Added a systemd service file (Closes: #832151, #817909) * Look for the Java runtime in the paths used by java-package >= 0.61 (/usr/lib/jvm/oracle-java-{jre,jdk}-*) (Closes: #894318) * Install catalina.policy in the tomcat8-user package to be able to run custom instances with a security manager (Closes: #736321) * Disabled the shutdown port (8005) by default * Updated the policy files in /etc/tomcat8/policy.d/ * Added the missing Maven rules to use the 8.x generic version for tomcat-jaspic-api, tomcat-storeconfig and tomcat-util-scan * Set the gecos field when creating the tomcat8 user * No longer set JSSE_HOME in the init script (JSSE is enabled by default) * Standards-Version updated to 4.2.0 tomcat8 (8.5.32-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches tomcat8 (8.5.31-1) unstable; urgency=medium . * Team upload. * New upstream release * Build with ant/1.10.3-2 and the automatic 'release' attribute restoring the backward compatibility with Java 7 (Closes: #895866) * Search for Java 10 and 11 runtimes * Don't follow the symlinks when setting the owner of the /var/log/tomcat8 and /var/cache/tomcat8 directories in the postinst script * Use salsa.debian.org Vcs-* URLs tomcat8 (8.5.30-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.4 tomcat8 (8.5.29-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches tomcat8 (8.5.29-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.28-1) unstable; urgency=medium . * New upstream release - Refreshed the patches - Disabled the tests checking the ARIA cipher since it isn't enabled by default in OpenSSL * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 * Use a secure URL for checking and downloading the new releases * No longer parse dpkg-parsechangelog in debian/rules tomcat8 (8.5.28-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.24-2) unstable; urgency=medium . * Team upload. * Removed the setDefaultAsyncSendTimeout method mistakenly added to javax.websocket.WebSocketContainer in the version 8.5.24 (Closes: #884046) tomcat8 (8.5.24-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. tomcat8 (8.5.24-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.2 tomcat8 (8.5.23-1) unstable; urgency=medium . * Team upload. * New upstream release * Standards-Version updated to 4.1.1 tomcat8 (8.5.21-1) unstable; urgency=medium . * Team upload. . [ Emmanuel Bourg ] * New upstream release - Refreshed the patches - Disabled Checkstyle * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use the specification jars from libtomcat8-java instead of libservlet3.1-java (Closes: #867247) . [ Miguel Landaeta ] * Remove myself from uploaders. (Closes: #871892) * Update copyright info. tomcat8 (8.5.16-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.0.0 tomcat8 (8.5.15-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches tomcat8 (8.5.14-2) unstable; urgency=high . * Team upload. * Fixed CVE-2017-5664: Static error pages can be overwritten if the DefaultServlet is configured to permit writes (Closes: #864447) tzdata (2019c-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following future timestamps: - Fiji's next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk Island will observe Australian-style DST starting in spring 2019. The first transition is on 2019-10-06. tzdata (2019b-2) unstable; urgency=medium . * Change provides to tzdata-bullseye from tzdata-buster. tzdata (2019b-1) unstable; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Brazil has canceled DST and will stay on standard time indefinitely. - Predictions for Morocco now go through 2087 instead of 2037. - Palestine's 2019 spring transition was 03-29 at 00:00, not 03-30 at 01:00. Guess future transitions to be March's last Friday at 00:00. - Many corrections to historical Hong Kong transitions from 1941 to 1947. tzdata (2019b-0+deb10u1) buster; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Brazil has canceled DST and will stay on standard time indefinitely. - Predictions for Morocco now go through 2087 instead of 2037. - Palestine's 2019 spring transition was 03-29 at 00:00, not 03-30 at 01:00. Guess future transitions to be March's last Friday at 00:00. - Many corrections to historical Hong Kong transitions from 1941 to 1947. ublock-origin (1.22.2+dfsg-1~deb9u1) stretch; urgency=medium . * Backport of 1.22.2+dfsg-1 to Stretch. (Closes: #943470, #925337) ublock-origin (1.19.0+dfsg-2) unstable; urgency=medium . * Upload to unstable. * Declare compliance with Debian Policy 4.4.0. ublock-origin (1.19.0+dfsg-1) experimental; urgency=medium . [ Michael Meskes ] * Change package layout to allow for different file for each browser while at the same time keeping firefox working despite its dislike for symlinks. (Closes: #926586) . [ Markus Koschany ] * New upstream version 1.19.0+dfsg. ublock-origin (1.18.10+dfsg-1) experimental; urgency=medium . * New upstream version 1.18.10+dfsg. * Fix ublock-origin being disabled with Firefox 66. (Closes: #925337) * Switch to compat level 12. ublock-origin (1.18.4+dfsg-2) unstable; urgency=medium . * Remove /etc/chromium.d/ublock-origin on upgrade because this file is obsolete. (Closes: #923001) ublock-origin (1.18.4+dfsg-1) unstable; urgency=medium . * New upstream version 1.18.4. * Remove vapi-webrequest.patch. Fixed upstream. * Drop 0004-patch-README-for-Debian.patch and do not install README.md. . [ Michael Meskes ] * Remove debian/chromium/* since Chromium will load all extensions now. ublock-origin (1.18.2+dfsg-2) unstable; urgency=medium . * Upload to unstable. * Drop do-not-open-sidebar-on-first-start.patch. Fixed upstream. * Reuse both flavors of webRequest wrapper in webext package. Thanks to Raymond Hill for the patch. (Closes: #920652) ublock-origin (1.18.2+dfsg-1) experimental; urgency=medium . * New upstream version 1.18.2 DFSG-cleaned. * Declare compliance with Debian Policy 4.3.0. * Remove debian/missing-sources again because upstream provides the sources. * Compile all *.wat files from source now. ublock-origin (1.17.0+dfsg-3) unstable; urgency=medium . * Replace symlink to fontawesome-webfont with a real file again. Firefox silently ignored this symlink and icons were not displayed. This also fixes the logger window which was empty before. (Closes: #916431, #906911) ublock-origin (1.17.0+dfsg-2) unstable; urgency=medium . * Remove the quotation marks around boolean value in do-not-open-sidebar-on-first-start.patch. That prevented Firefox from loading the addon. Thanks to Eugen Dedu for the report. (Closes: #910807) ublock-origin (1.17.0+dfsg-1) unstable; urgency=medium . * New upstream version 1.17.0+dfsg. * Update upstream changelog to the new release version. * Drop make-webext-meta-encoding.patch and make-webext.patch. Fixed upstream. * Add do-not-open-sidebar-on-first-start.patch and prevent that the sidebar in Firefox opens on first startup. This feature only works in Firefox >= 62. (Closes: #909493) * Fix debian/watch and only track relevant upstream versions. Thanks to Sven Joachim for the report and patch. (Closes: #908898) ublock-origin (1.16.14+dfsg-2) unstable; urgency=medium . * Declare compliance with Debian Policy 4.2.1. * Build-depend on python3 and fix that python commands were silently ignored in make-webext.sh. Thanks to Laurent Bigonville for the report. (Closes: #908509) * Add make-webext.patch. Call bash with set -e and exit when a command exits with a non-zero status. Also use the python3 executable instead of the default python interpreter. * Add make-webext-meta-encoding.patch and fix an encoding issue and fatal error that would cause a FTBFS. unhide (20130526-1+deb9u1) stretch; urgency=medium . * Team Upload. * debian/patch/allocate-pid-arrays-from-heap.patch: Added to fix a stack exhausting. Thanks to Bernhard Übelacker . (Closes: #945864) x2goclient (4.0.5.2-2+deb9u1) stretch; urgency=medium . * debian/patches: + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY- based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. (Closes: #947129). xen (4.8.5.final+shim4.10.4-1+deb9u12) stretch-security; urgency=medium . * *NOTE* this will probably be the *LAST UPDATE* for Xen in Debian 9.x (stretch), since this is the last batch of security patches from upstream, where Xen 4.8 is out of security support. . * Update to new upstream final tip of 4.8 stable branch, which I have dubbed upstream/stable-4.8.5.final. And shim 4.10.4. * This includes fixes to: XSA-311 CVE-2019-19577 XSA-310 CVE-2019-19580 XSA-309 CVE-2019-19578 XSA-308 CVE-2019-19583 XSA-307 CVE-2019-19581 CVE-2019-19582 XSA-306 CVE-2019-19579 XSA-305 CVE-2019-11135 XSA-304 CVE-2018-12207 XSA-303 CVE-2019-18422 XSA-302 CVE-2019-18424 XSA-301 CVE-2019-18423 XSA-299 CVE-2019-18421 XSA-298 CVE-2019-18425 XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 XSA-296 CVE-2019-18420 XSA-295 CVE-2019-17349 CVE-2019-17350 XSA-294 CVE-2019-17348 XSA-293 CVE-2019-17347 XSA-292 CVE-2019-17346 XSA-291 CVE-2019-17345 XSA-290 CVE-2019-17344 XSA-288 CVE-2019-17343 XSA-287 CVE-2019-17342 XSA-285 CVE-2019-17341 XSA-284 CVE-2019-17340 * For completeness, the following are not applicable: XSA-300 CVE-2019-17351 Bug is in Linux XSA-289 Spectre V1 + L1TF combo; no new fixes XSA-283 Withdrawn XSA number XSA-281 Withdrawn XSA number * The following is *not* fixed at this time: XSA-286 Still embargoed. . * README.comet: remove line about PVH support. [Hans van Kranenburg] Closes:#908453. xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium . * [12dd825] New patches: DSA verification crashes OpenSSL on invalid combinations of key content. Particular KeyInfo combinations result in incomplete DSA key structures that OpenSSL can't handle without crashing. In the case of Shibboleth SP software this manifests as a crash in the shibd daemon. Exploitation is believed to be possible only in deployments employing the PKIX trust engine, which is generally recommended against. The upstream patches backported from 2.0.2 apply analogous safeguards to the RSA and ECDSA key handling as well. Upstream bug: https://issues.apache.org/jira/browse/SANTUARIO-496 CVE: not assigned Thanks to Scott Cantor (Closes: #913136) ======================================= Sun, 08 Sep 2019 - Debian 9.11 released ======================================= base-files (9.9+deb9u11) stretch; urgency=emergency . * Non-maintainer upload. * Change /etc/debian_version to 9.11, for Debian 9.11 point release. bogl (0.1.18-11+deb9u1) stretch; urgency=high . * bogl-term.c: Call iswspace instead of isspace, fixes crash on U+FEFF. debian-installer-netboot-images (20170615+deb9u7.b2) stretch; urgency=emergency . * Update to 20170615+deb9u2+b2, from stretch-proposed-updates ======================================= Sat, 07 Sep 2019 - Debian 9.10 released ======================================= ========================================================================== [Date: Sat, 07 Sep 2019 10:45:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedove-dev | 1:60.0-2~deb9u1 | all icedove-l10n-bn-bd | 1:60.0-2~deb9u1 | all icedove-l10n-pa-in | 1:60.0-2~deb9u1 | all icedove-l10n-ta-lk | 1:60.0-2~deb9u1 | all iceowl-l10n-bn-bd | 1:60.0-2~deb9u1 | all iceowl-l10n-pa-in | 1:60.0-2~deb9u1 | all iceowl-l10n-ta-lk | 1:60.0-2~deb9u1 | all lightning-l10n-bn-bd | 1:60.0-2~deb9u1 | all lightning-l10n-pa-in | 1:60.0-2~deb9u1 | all lightning-l10n-ta-lk | 1:60.0-2~deb9u1 | all thunderbird-l10n-bn-bd | 1:60.0-2~deb9u1 | all thunderbird-l10n-pa-in | 1:60.0-2~deb9u1 | all thunderbird-l10n-ta-lk | 1:60.0-2~deb9u1 | all Maintainer: Carsten Schoenert ------------------- Reason ------------------- [auto-cruft] obsoleted ---------------------------------------------- linux-headers-4.9.0-9-common | 4.9.168-1+deb9u3 | all linux-headers-4.9.0-9-common-rt | 4.9.168-1+deb9u3 | all linux-support-4.9.0-9 | 4.9.168-1+deb9u3 | all Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- linux-headers-4.9.0-10-common | 4.9.185-1 | all linux-headers-4.9.0-10-common-rt | 4.9.185-1 | all linux-support-4.9.0-10 | 4.9.185-1 | all Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- libclamav7 | 0.100.3+dfsg-0+deb9u1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Maintainer: ClamAV Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by clamav) ---------------------------------------------- libclamunrar7 | 0.100.1-0+deb9u1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Maintainer: ClamAV Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by libclamunrar) ---------------------------------------------- ata-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 ata-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 btrfs-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 btrfs-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 cdrom-core-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 cdrom-core-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 crc-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 crc-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 crypto-dm-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 crypto-dm-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 crypto-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 crypto-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 efi-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 efi-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 event-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 event-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 ext4-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 ext4-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 fat-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 fat-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 fb-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 fb-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 fuse-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 fuse-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 i2c-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 i2c-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 input-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 input-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 isofs-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 isofs-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 jfs-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 jfs-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 kernel-image-4.9.0-10-arm64-di | 4.9.185-1 | arm64 kernel-image-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 leds-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 leds-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 linux-headers-4.9.0-10-all-arm64 | 4.9.185-1 | arm64 linux-headers-4.9.0-10-arm64 | 4.9.185-1 | arm64 linux-headers-4.9.0-9-all-arm64 | 4.9.168-1+deb9u3 | arm64 linux-headers-4.9.0-9-arm64 | 4.9.168-1+deb9u3 | arm64 linux-image-4.9.0-10-arm64 | 4.9.185-1 | arm64 linux-image-4.9.0-10-arm64-dbg | 4.9.185-1 | arm64 linux-image-4.9.0-9-arm64 | 4.9.168-1+deb9u3 | arm64 linux-image-4.9.0-9-arm64-dbg | 4.9.168-1+deb9u3 | arm64 loop-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 loop-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 md-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 md-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 mmc-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 mmc-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 multipath-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 multipath-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 nbd-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 nbd-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 nic-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 nic-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 nic-shared-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 nic-shared-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 nic-usb-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 nic-usb-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 nic-wireless-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 nic-wireless-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 ppp-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 ppp-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 sata-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 sata-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 scsi-core-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 scsi-core-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 scsi-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 scsi-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 squashfs-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 squashfs-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 udf-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 udf-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 uinput-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 uinput-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 usb-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 usb-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 usb-storage-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 usb-storage-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 virtio-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 virtio-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 xfs-modules-4.9.0-10-arm64-di | 4.9.185-1 | arm64 xfs-modules-4.9.0-9-arm64-di | 4.9.168-1+deb9u3 | arm64 Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- btrfs-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel btrfs-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel cdrom-core-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel cdrom-core-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel crc-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel crc-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel crypto-dm-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel crypto-dm-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel crypto-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel crypto-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel event-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel event-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel ext4-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel ext4-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel fat-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel fat-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel fb-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel fb-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel fuse-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel fuse-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel input-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel input-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel ipv6-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel ipv6-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel isofs-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel isofs-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel jffs2-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel jffs2-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel jfs-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel jfs-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel kernel-image-4.9.0-10-marvell-di | 4.9.185-1 | armel kernel-image-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel leds-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel leds-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel linux-headers-4.9.0-10-all-armel | 4.9.185-1 | armel linux-headers-4.9.0-10-marvell | 4.9.185-1 | armel linux-headers-4.9.0-9-all-armel | 4.9.168-1+deb9u3 | armel linux-headers-4.9.0-9-marvell | 4.9.168-1+deb9u3 | armel linux-image-4.9.0-10-marvell | 4.9.185-1 | armel linux-image-4.9.0-10-marvell-dbg | 4.9.185-1 | armel linux-image-4.9.0-9-marvell | 4.9.168-1+deb9u3 | armel linux-image-4.9.0-9-marvell-dbg | 4.9.168-1+deb9u3 | armel loop-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel loop-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel md-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel md-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel minix-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel minix-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel mmc-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel mmc-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel mouse-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel mouse-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel mtd-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel mtd-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel multipath-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel multipath-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel nbd-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel nbd-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel nic-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel nic-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel nic-shared-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel nic-shared-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel nic-usb-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel nic-usb-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel ppp-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel ppp-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel sata-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel sata-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel scsi-core-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel scsi-core-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel squashfs-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel squashfs-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel udf-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel udf-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel uinput-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel uinput-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel usb-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel usb-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel usb-serial-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel usb-serial-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel usb-storage-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel usb-storage-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel zlib-modules-4.9.0-10-marvell-di | 4.9.185-1 | armel zlib-modules-4.9.0-9-marvell-di | 4.9.168-1+deb9u3 | armel Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ata-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf ata-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf btrfs-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf btrfs-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf crc-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf crc-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf crypto-dm-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf crypto-dm-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf crypto-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf crypto-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf efi-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf efi-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf event-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf event-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf ext4-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf ext4-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf fat-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf fat-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf fb-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf fb-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf fuse-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf fuse-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf i2c-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf i2c-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf input-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf input-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf isofs-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf isofs-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf jfs-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf jfs-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf kernel-image-4.9.0-10-armmp-di | 4.9.185-1 | armhf kernel-image-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf leds-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf leds-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf linux-headers-4.9.0-10-all-armhf | 4.9.185-1 | armhf linux-headers-4.9.0-10-armmp | 4.9.185-1 | armhf linux-headers-4.9.0-10-armmp-lpae | 4.9.185-1 | armhf linux-headers-4.9.0-9-all-armhf | 4.9.168-1+deb9u3 | armhf linux-headers-4.9.0-9-armmp | 4.9.168-1+deb9u3 | armhf linux-headers-4.9.0-9-armmp-lpae | 4.9.168-1+deb9u3 | armhf linux-image-4.9.0-10-armmp | 4.9.185-1 | armhf linux-image-4.9.0-10-armmp-dbg | 4.9.185-1 | armhf linux-image-4.9.0-10-armmp-lpae | 4.9.185-1 | armhf linux-image-4.9.0-10-armmp-lpae-dbg | 4.9.185-1 | armhf linux-image-4.9.0-9-armmp | 4.9.168-1+deb9u3 | armhf linux-image-4.9.0-9-armmp-dbg | 4.9.168-1+deb9u3 | armhf linux-image-4.9.0-9-armmp-lpae | 4.9.168-1+deb9u3 | armhf linux-image-4.9.0-9-armmp-lpae-dbg | 4.9.168-1+deb9u3 | armhf loop-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf loop-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf md-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf md-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf mmc-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf mmc-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf mtd-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf mtd-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf multipath-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf multipath-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf nbd-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf nbd-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf nic-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf nic-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf nic-shared-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf nic-shared-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf nic-usb-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf nic-usb-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf nic-wireless-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf nic-wireless-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf pata-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf pata-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf ppp-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf ppp-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf sata-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf sata-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf scsi-core-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf scsi-core-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf scsi-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf scsi-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf squashfs-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf squashfs-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf udf-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf udf-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf uinput-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf uinput-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf usb-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf usb-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf usb-storage-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf usb-storage-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf virtio-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf virtio-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf zlib-modules-4.9.0-10-armmp-di | 4.9.185-1 | armhf zlib-modules-4.9.0-9-armmp-di | 4.9.168-1+deb9u3 | armhf Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- acpi-modules-4.9.0-10-686-di | 4.9.185-1 | i386 acpi-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 acpi-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 acpi-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 ata-modules-4.9.0-10-686-di | 4.9.185-1 | i386 ata-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 ata-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 ata-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 btrfs-modules-4.9.0-10-686-di | 4.9.185-1 | i386 btrfs-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 btrfs-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 btrfs-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 cdrom-core-modules-4.9.0-10-686-di | 4.9.185-1 | i386 cdrom-core-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 cdrom-core-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 cdrom-core-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 crc-modules-4.9.0-10-686-di | 4.9.185-1 | i386 crc-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 crc-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 crc-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 crypto-dm-modules-4.9.0-10-686-di | 4.9.185-1 | i386 crypto-dm-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 crypto-dm-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 crypto-dm-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 crypto-modules-4.9.0-10-686-di | 4.9.185-1 | i386 crypto-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 crypto-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 crypto-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 efi-modules-4.9.0-10-686-di | 4.9.185-1 | i386 efi-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 efi-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 efi-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 event-modules-4.9.0-10-686-di | 4.9.185-1 | i386 event-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 event-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 event-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 ext4-modules-4.9.0-10-686-di | 4.9.185-1 | i386 ext4-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 ext4-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 ext4-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 fat-modules-4.9.0-10-686-di | 4.9.185-1 | i386 fat-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 fat-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 fat-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 fb-modules-4.9.0-10-686-di | 4.9.185-1 | i386 fb-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 fb-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 fb-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 firewire-core-modules-4.9.0-10-686-di | 4.9.185-1 | i386 firewire-core-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 firewire-core-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 firewire-core-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 fuse-modules-4.9.0-10-686-di | 4.9.185-1 | i386 fuse-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 fuse-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 fuse-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 hyperv-modules-4.9.0-10-686-di | 4.9.185-1 | i386 hyperv-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 hyperv-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 hyperv-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 i2c-modules-4.9.0-10-686-di | 4.9.185-1 | i386 i2c-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 i2c-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 i2c-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 input-modules-4.9.0-10-686-di | 4.9.185-1 | i386 input-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 input-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 input-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 isofs-modules-4.9.0-10-686-di | 4.9.185-1 | i386 isofs-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 isofs-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 isofs-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 jfs-modules-4.9.0-10-686-di | 4.9.185-1 | i386 jfs-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 jfs-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 jfs-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 kernel-image-4.9.0-10-686-di | 4.9.185-1 | i386 kernel-image-4.9.0-10-686-pae-di | 4.9.185-1 | i386 kernel-image-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 kernel-image-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 linux-headers-4.9.0-10-686 | 4.9.185-1 | i386 linux-headers-4.9.0-10-686-pae | 4.9.185-1 | i386 linux-headers-4.9.0-10-all-i386 | 4.9.185-1 | i386 linux-headers-4.9.0-10-rt-686-pae | 4.9.185-1 | i386 linux-headers-4.9.0-9-686 | 4.9.168-1+deb9u3 | i386 linux-headers-4.9.0-9-686-pae | 4.9.168-1+deb9u3 | i386 linux-headers-4.9.0-9-all-i386 | 4.9.168-1+deb9u3 | i386 linux-headers-4.9.0-9-rt-686-pae | 4.9.168-1+deb9u3 | i386 linux-image-4.9.0-10-686 | 4.9.185-1 | i386 linux-image-4.9.0-10-686-dbg | 4.9.185-1 | i386 linux-image-4.9.0-10-686-pae | 4.9.185-1 | i386 linux-image-4.9.0-10-686-pae-dbg | 4.9.185-1 | i386 linux-image-4.9.0-10-rt-686-pae | 4.9.185-1 | i386 linux-image-4.9.0-10-rt-686-pae-dbg | 4.9.185-1 | i386 linux-image-4.9.0-9-686 | 4.9.168-1+deb9u3 | i386 linux-image-4.9.0-9-686-dbg | 4.9.168-1+deb9u3 | i386 linux-image-4.9.0-9-686-pae | 4.9.168-1+deb9u3 | i386 linux-image-4.9.0-9-686-pae-dbg | 4.9.168-1+deb9u3 | i386 linux-image-4.9.0-9-rt-686-pae | 4.9.168-1+deb9u3 | i386 linux-image-4.9.0-9-rt-686-pae-dbg | 4.9.168-1+deb9u3 | i386 loop-modules-4.9.0-10-686-di | 4.9.185-1 | i386 loop-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 loop-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 loop-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 md-modules-4.9.0-10-686-di | 4.9.185-1 | i386 md-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 md-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 md-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 mmc-core-modules-4.9.0-10-686-di | 4.9.185-1 | i386 mmc-core-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 mmc-core-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 mmc-core-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 mmc-modules-4.9.0-10-686-di | 4.9.185-1 | i386 mmc-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 mmc-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 mmc-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 mouse-modules-4.9.0-10-686-di | 4.9.185-1 | i386 mouse-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 mouse-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 mouse-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 multipath-modules-4.9.0-10-686-di | 4.9.185-1 | i386 multipath-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 multipath-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 multipath-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 nbd-modules-4.9.0-10-686-di | 4.9.185-1 | i386 nbd-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 nbd-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 nbd-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 nic-modules-4.9.0-10-686-di | 4.9.185-1 | i386 nic-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 nic-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 nic-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 nic-pcmcia-modules-4.9.0-10-686-di | 4.9.185-1 | i386 nic-pcmcia-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 nic-pcmcia-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 nic-pcmcia-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 nic-shared-modules-4.9.0-10-686-di | 4.9.185-1 | i386 nic-shared-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 nic-shared-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 nic-shared-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 nic-usb-modules-4.9.0-10-686-di | 4.9.185-1 | i386 nic-usb-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 nic-usb-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 nic-usb-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 nic-wireless-modules-4.9.0-10-686-di | 4.9.185-1 | i386 nic-wireless-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 nic-wireless-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 nic-wireless-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 ntfs-modules-4.9.0-10-686-di | 4.9.185-1 | i386 ntfs-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 ntfs-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 ntfs-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 pata-modules-4.9.0-10-686-di | 4.9.185-1 | i386 pata-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 pata-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 pata-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 pcmcia-modules-4.9.0-10-686-di | 4.9.185-1 | i386 pcmcia-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 pcmcia-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 pcmcia-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 pcmcia-storage-modules-4.9.0-10-686-di | 4.9.185-1 | i386 pcmcia-storage-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 pcmcia-storage-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 pcmcia-storage-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 ppp-modules-4.9.0-10-686-di | 4.9.185-1 | i386 ppp-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 ppp-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 ppp-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 sata-modules-4.9.0-10-686-di | 4.9.185-1 | i386 sata-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 sata-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 sata-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 scsi-core-modules-4.9.0-10-686-di | 4.9.185-1 | i386 scsi-core-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 scsi-core-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 scsi-core-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 scsi-modules-4.9.0-10-686-di | 4.9.185-1 | i386 scsi-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 scsi-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 scsi-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 serial-modules-4.9.0-10-686-di | 4.9.185-1 | i386 serial-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 serial-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 serial-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 sound-modules-4.9.0-10-686-di | 4.9.185-1 | i386 sound-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 sound-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 sound-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 speakup-modules-4.9.0-10-686-di | 4.9.185-1 | i386 speakup-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 speakup-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 speakup-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 squashfs-modules-4.9.0-10-686-di | 4.9.185-1 | i386 squashfs-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 squashfs-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 squashfs-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 udf-modules-4.9.0-10-686-di | 4.9.185-1 | i386 udf-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 udf-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 udf-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 uinput-modules-4.9.0-10-686-di | 4.9.185-1 | i386 uinput-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 uinput-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 uinput-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 usb-modules-4.9.0-10-686-di | 4.9.185-1 | i386 usb-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 usb-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 usb-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 usb-serial-modules-4.9.0-10-686-di | 4.9.185-1 | i386 usb-serial-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 usb-serial-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 usb-serial-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 usb-storage-modules-4.9.0-10-686-di | 4.9.185-1 | i386 usb-storage-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 usb-storage-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 usb-storage-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 virtio-modules-4.9.0-10-686-di | 4.9.185-1 | i386 virtio-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 virtio-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 virtio-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 xfs-modules-4.9.0-10-686-di | 4.9.185-1 | i386 xfs-modules-4.9.0-10-686-pae-di | 4.9.185-1 | i386 xfs-modules-4.9.0-9-686-di | 4.9.168-1+deb9u3 | i386 xfs-modules-4.9.0-9-686-pae-di | 4.9.168-1+deb9u3 | i386 Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- linux-headers-4.9.0-10-all-mips | 4.9.185-1 | mips linux-headers-4.9.0-9-all-mips | 4.9.168-1+deb9u3 | mips Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- affs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel affs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel btrfs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel btrfs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel crc-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel crc-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel crypto-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel crypto-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel event-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel event-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel ext4-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel ext4-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel fat-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel fat-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel fuse-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel fuse-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel hfs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel hfs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel input-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel input-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel isofs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel isofs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel jfs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel jfs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel kernel-image-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel kernel-image-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel linux-headers-4.9.0-10-5kc-malta | 4.9.185-1 | mips, mips64el, mipsel linux-headers-4.9.0-10-octeon | 4.9.185-1 | mips, mips64el, mipsel linux-headers-4.9.0-9-5kc-malta | 4.9.168-1+deb9u3 | mips, mips64el, mipsel linux-headers-4.9.0-9-octeon | 4.9.168-1+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-10-5kc-malta | 4.9.185-1 | mips, mips64el, mipsel linux-image-4.9.0-10-5kc-malta-dbg | 4.9.185-1 | mips, mips64el, mipsel linux-image-4.9.0-10-octeon | 4.9.185-1 | mips, mips64el, mipsel linux-image-4.9.0-10-octeon-dbg | 4.9.185-1 | mips, mips64el, mipsel linux-image-4.9.0-9-5kc-malta | 4.9.168-1+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-9-5kc-malta-dbg | 4.9.168-1+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-9-octeon | 4.9.168-1+deb9u3 | mips, mips64el, mipsel linux-image-4.9.0-9-octeon-dbg | 4.9.168-1+deb9u3 | mips, mips64el, mipsel loop-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel loop-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel md-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel md-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel minix-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel minix-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel multipath-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel multipath-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel nbd-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel nbd-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel nic-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel nic-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel nic-shared-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel nic-shared-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel nic-usb-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel nic-usb-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel ntfs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel ntfs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel pata-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel pata-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel ppp-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel ppp-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel rtc-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel rtc-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel sata-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel sata-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel scsi-core-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel scsi-core-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel scsi-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel scsi-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel sound-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel sound-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel squashfs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel squashfs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel udf-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel udf-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel usb-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel usb-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel usb-serial-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel usb-serial-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel usb-storage-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel usb-storage-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel virtio-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel virtio-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel xfs-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel xfs-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel zlib-modules-4.9.0-10-octeon-di | 4.9.185-1 | mips, mips64el, mipsel zlib-modules-4.9.0-9-octeon-di | 4.9.168-1+deb9u3 | mips, mips64el, mipsel Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- affs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel affs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel ata-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel ata-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel btrfs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel btrfs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel cdrom-core-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel cdrom-core-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel crc-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel crc-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel crypto-dm-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel crypto-dm-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel crypto-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel crypto-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel event-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel event-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel ext4-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel ext4-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel fat-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel fat-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel fuse-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel fuse-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel hfs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel hfs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel i2c-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel i2c-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel input-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel input-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel isofs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel isofs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel jfs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel jfs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel kernel-image-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel kernel-image-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel linux-headers-4.9.0-10-4kc-malta | 4.9.185-1 | mips, mipsel linux-headers-4.9.0-9-4kc-malta | 4.9.168-1+deb9u3 | mips, mipsel linux-image-4.9.0-10-4kc-malta | 4.9.185-1 | mips, mipsel linux-image-4.9.0-10-4kc-malta-dbg | 4.9.185-1 | mips, mipsel linux-image-4.9.0-9-4kc-malta | 4.9.168-1+deb9u3 | mips, mipsel linux-image-4.9.0-9-4kc-malta-dbg | 4.9.168-1+deb9u3 | mips, mipsel loop-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel loop-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel md-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel md-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel minix-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel minix-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel mmc-core-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel mmc-core-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel mmc-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel mmc-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel mouse-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel mouse-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel multipath-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel multipath-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel nbd-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel nbd-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel nic-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel nic-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel nic-shared-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel nic-shared-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel nic-usb-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel nic-usb-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel nic-wireless-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel nic-wireless-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel ntfs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel ntfs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel pata-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel pata-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel ppp-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel ppp-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel sata-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel sata-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel scsi-core-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel scsi-core-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel scsi-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel scsi-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel sound-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel sound-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel squashfs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel squashfs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel udf-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel udf-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel usb-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel usb-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel usb-serial-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel usb-serial-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel usb-storage-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel usb-storage-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel virtio-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel virtio-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel xfs-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel xfs-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel zlib-modules-4.9.0-10-4kc-malta-di | 4.9.185-1 | mips, mipsel zlib-modules-4.9.0-9-4kc-malta-di | 4.9.168-1+deb9u3 | mips, mipsel Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- affs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el affs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el ata-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el ata-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el btrfs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el btrfs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el cdrom-core-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el cdrom-core-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el crc-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el crc-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el crypto-dm-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el crypto-dm-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el crypto-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el crypto-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el event-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el event-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el ext4-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el ext4-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el fat-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el fat-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el fuse-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el fuse-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el hfs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el hfs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el i2c-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el i2c-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el input-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el input-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el isofs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el isofs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el jfs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el jfs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el kernel-image-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el kernel-image-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el linux-headers-4.9.0-10-all-mips64el | 4.9.185-1 | mips64el linux-headers-4.9.0-9-all-mips64el | 4.9.168-1+deb9u3 | mips64el loop-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el loop-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el md-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el md-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el minix-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el minix-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el mmc-core-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el mmc-core-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el mmc-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el mmc-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el mouse-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el mouse-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el multipath-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el multipath-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el nbd-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el nbd-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el nic-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el nic-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el nic-shared-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el nic-shared-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el nic-usb-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el nic-usb-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el nic-wireless-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el nic-wireless-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el ntfs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el ntfs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el pata-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el pata-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el ppp-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el ppp-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el sata-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el sata-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el scsi-core-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el scsi-core-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el scsi-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el scsi-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el sound-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el sound-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el squashfs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el squashfs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el udf-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el udf-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el usb-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el usb-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el usb-serial-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el usb-serial-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el usb-storage-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el usb-storage-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el virtio-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el virtio-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el xfs-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el xfs-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el zlib-modules-4.9.0-10-5kc-malta-di | 4.9.185-1 | mips64el zlib-modules-4.9.0-9-5kc-malta-di | 4.9.168-1+deb9u3 | mips64el Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- affs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel affs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel ata-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel ata-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel btrfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel btrfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel cdrom-core-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel cdrom-core-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel crc-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel crc-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel crypto-dm-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel crypto-dm-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel crypto-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel crypto-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel event-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel event-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel ext4-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel ext4-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel fat-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel fat-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel fb-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel fb-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel firewire-core-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel firewire-core-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel fuse-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel fuse-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel hfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel hfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel input-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel input-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel isofs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel isofs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel jfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel jfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel kernel-image-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel kernel-image-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel linux-headers-4.9.0-10-loongson-3 | 4.9.185-1 | mips64el, mipsel linux-headers-4.9.0-9-loongson-3 | 4.9.168-1+deb9u3 | mips64el, mipsel linux-image-4.9.0-10-loongson-3 | 4.9.185-1 | mips64el, mipsel linux-image-4.9.0-10-loongson-3-dbg | 4.9.185-1 | mips64el, mipsel linux-image-4.9.0-9-loongson-3 | 4.9.168-1+deb9u3 | mips64el, mipsel linux-image-4.9.0-9-loongson-3-dbg | 4.9.168-1+deb9u3 | mips64el, mipsel loop-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel loop-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel md-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel md-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel minix-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel minix-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel multipath-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel multipath-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel nbd-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel nbd-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel nfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel nfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel nic-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel nic-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel nic-shared-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel nic-shared-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel nic-usb-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel nic-usb-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel nic-wireless-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel nic-wireless-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel ntfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel ntfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel pata-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel pata-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel ppp-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel ppp-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel sata-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel sata-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel scsi-core-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel scsi-core-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel scsi-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel scsi-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel sound-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel sound-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel speakup-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel speakup-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel squashfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel squashfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel udf-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel udf-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel usb-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel usb-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel usb-serial-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel usb-serial-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel usb-storage-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel usb-storage-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel virtio-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel virtio-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel xfs-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel xfs-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel zlib-modules-4.9.0-10-loongson-3-di | 4.9.185-1 | mips64el, mipsel zlib-modules-4.9.0-9-loongson-3-di | 4.9.168-1+deb9u3 | mips64el, mipsel Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- linux-headers-4.9.0-10-all-mipsel | 4.9.185-1 | mipsel linux-headers-4.9.0-9-all-mipsel | 4.9.168-1+deb9u3 | mipsel Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ata-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el ata-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el btrfs-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el btrfs-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el cdrom-core-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el cdrom-core-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el crc-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el crc-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el crypto-dm-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el crypto-dm-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el crypto-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el crypto-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el event-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el event-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el ext4-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el ext4-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el fancontrol-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el fancontrol-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el fat-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el fat-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el firewire-core-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el firewire-core-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el fuse-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el fuse-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el hypervisor-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el hypervisor-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el input-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el input-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el isofs-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el isofs-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el jfs-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el jfs-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el kernel-image-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el kernel-image-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el linux-headers-4.9.0-10-all-ppc64el | 4.9.185-1 | ppc64el linux-headers-4.9.0-10-powerpc64le | 4.9.185-1 | ppc64el linux-headers-4.9.0-9-all-ppc64el | 4.9.168-1+deb9u3 | ppc64el linux-headers-4.9.0-9-powerpc64le | 4.9.168-1+deb9u3 | ppc64el linux-image-4.9.0-10-powerpc64le | 4.9.185-1 | ppc64el linux-image-4.9.0-10-powerpc64le-dbg | 4.9.185-1 | ppc64el linux-image-4.9.0-9-powerpc64le | 4.9.168-1+deb9u3 | ppc64el linux-image-4.9.0-9-powerpc64le-dbg | 4.9.168-1+deb9u3 | ppc64el loop-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el loop-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el md-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el md-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el mouse-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el mouse-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el multipath-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el multipath-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el nbd-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el nbd-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el nic-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el nic-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el nic-shared-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el nic-shared-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el ppp-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el ppp-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el sata-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el sata-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el scsi-core-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el scsi-core-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el scsi-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el scsi-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el serial-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el serial-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el squashfs-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el squashfs-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el udf-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el udf-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el uinput-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el uinput-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el usb-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el usb-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el usb-serial-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el usb-serial-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el usb-storage-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el usb-storage-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el virtio-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el virtio-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el xfs-modules-4.9.0-10-powerpc64le-di | 4.9.185-1 | ppc64el xfs-modules-4.9.0-9-powerpc64le-di | 4.9.168-1+deb9u3 | ppc64el Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- acpi-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 acpi-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 ata-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 ata-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 btrfs-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 btrfs-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 cdrom-core-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 cdrom-core-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 crc-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 crc-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 crypto-dm-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 crypto-dm-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 crypto-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 crypto-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 efi-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 efi-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 event-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 event-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 ext4-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 ext4-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 fat-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 fat-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 fb-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 fb-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 firewire-core-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 firewire-core-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 fuse-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 fuse-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 hyperv-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 hyperv-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 i2c-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 i2c-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 input-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 input-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 isofs-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 isofs-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 jfs-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 jfs-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 kernel-image-4.9.0-10-amd64-di | 4.9.185-1 | amd64 kernel-image-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 linux-headers-4.9.0-10-all-amd64 | 4.9.185-1 | amd64 linux-headers-4.9.0-10-amd64 | 4.9.185-1 | amd64 linux-headers-4.9.0-10-rt-amd64 | 4.9.185-1 | amd64 linux-headers-4.9.0-9-all-amd64 | 4.9.168-1+deb9u3 | amd64 linux-headers-4.9.0-9-amd64 | 4.9.168-1+deb9u3 | amd64 linux-headers-4.9.0-9-rt-amd64 | 4.9.168-1+deb9u3 | amd64 linux-image-4.9.0-10-amd64 | 4.9.185-1 | amd64 linux-image-4.9.0-10-amd64-dbg | 4.9.185-1 | amd64 linux-image-4.9.0-10-rt-amd64 | 4.9.185-1 | amd64 linux-image-4.9.0-10-rt-amd64-dbg | 4.9.185-1 | amd64 linux-image-4.9.0-9-amd64 | 4.9.168-1+deb9u3 | amd64 linux-image-4.9.0-9-amd64-dbg | 4.9.168-1+deb9u3 | amd64 linux-image-4.9.0-9-rt-amd64 | 4.9.168-1+deb9u3 | amd64 linux-image-4.9.0-9-rt-amd64-dbg | 4.9.168-1+deb9u3 | amd64 loop-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 loop-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 md-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 md-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 mmc-core-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 mmc-core-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 mmc-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 mmc-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 mouse-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 mouse-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 multipath-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 multipath-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 nbd-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 nbd-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 nic-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 nic-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 nic-pcmcia-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 nic-pcmcia-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 nic-shared-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 nic-shared-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 nic-usb-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 nic-usb-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 nic-wireless-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 nic-wireless-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 ntfs-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 ntfs-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 pata-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 pata-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 pcmcia-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 pcmcia-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 pcmcia-storage-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 pcmcia-storage-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 ppp-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 ppp-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 sata-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 sata-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 scsi-core-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 scsi-core-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 scsi-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 scsi-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 serial-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 serial-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 sound-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 sound-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 speakup-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 speakup-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 squashfs-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 squashfs-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 udf-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 udf-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 uinput-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 uinput-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 usb-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 usb-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 usb-serial-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 usb-serial-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 usb-storage-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 usb-storage-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 virtio-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 virtio-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 xfs-modules-4.9.0-10-amd64-di | 4.9.185-1 | amd64 xfs-modules-4.9.0-9-amd64-di | 4.9.168-1+deb9u3 | amd64 Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- btrfs-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x btrfs-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x crc-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x crc-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x crypto-dm-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x crypto-dm-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x crypto-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x crypto-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x dasd-extra-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x dasd-extra-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x dasd-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x dasd-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x ext4-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x ext4-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x fat-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x fat-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x fuse-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x fuse-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x isofs-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x isofs-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x kernel-image-4.9.0-10-s390x-di | 4.9.185-1 | s390x kernel-image-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x linux-headers-4.9.0-10-all-s390x | 4.9.185-1 | s390x linux-headers-4.9.0-10-s390x | 4.9.185-1 | s390x linux-headers-4.9.0-9-all-s390x | 4.9.168-1+deb9u3 | s390x linux-headers-4.9.0-9-s390x | 4.9.168-1+deb9u3 | s390x linux-image-4.9.0-10-s390x | 4.9.185-1 | s390x linux-image-4.9.0-10-s390x-dbg | 4.9.185-1 | s390x linux-image-4.9.0-9-s390x | 4.9.168-1+deb9u3 | s390x linux-image-4.9.0-9-s390x-dbg | 4.9.168-1+deb9u3 | s390x loop-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x loop-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x md-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x md-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x multipath-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x multipath-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x nbd-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x nbd-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x nic-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x nic-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x scsi-core-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x scsi-core-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x scsi-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x scsi-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x udf-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x udf-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x virtio-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x virtio-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x xfs-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x xfs-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x zlib-modules-4.9.0-10-s390x-di | 4.9.185-1 | s390x zlib-modules-4.9.0-9-s390x-di | 4.9.168-1+deb9u3 | s390x Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- linux-headers-4.9.0-10-all | 4.9.185-1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x linux-headers-4.9.0-9-all | 4.9.168-1+deb9u3 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Maintainer: Debian Kernel Team ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- rust-doc | 1.14.0+dfsg1-3 | all Maintainer: Rust Maintainers Will also close bugs: 928423 ------------------- Reason ------------------- RoQA; outdated cruft package ---------------------------------------------- teeworlds | 0.6.5+dfsg-1~deb9u1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x teeworlds-data | 0.6.5+dfsg-1~deb9u1 | all teeworlds-server | 0.6.5+dfsg-1~deb9u1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Maintainer: Debian Games Team Will also close bugs: 935596 ------------------- Reason ------------------- RoST; security issues; incompatible with current servers ---------------------------------------------- pump | 0.8.24-7 | source pump | 0.8.24-7+b2 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Maintainer: Philippe Coval Will also close bugs: 938932 ------------------- Reason ------------------- RoST; unmaintained; security issues ---------------------------------------------- ========================================================================= apache2 (2.4.25-3+deb9u8) stretch-security; urgency=high . [ Xavier Guimard ] * Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092) * Import http2 modules from 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10082, CVE-2019-10081) * Add patch to set PCRE_DOTALL by default (Closes: CVE-2019-10098) . [ Stefan Fritsch ] * Add -Werror=implicit-function-declaration to compile options to catch problems with backports. atftp (0.7.git20120829-3.1~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security. . atftp (0.7.git20120829-3.1) unstable; urgency=high . * Non-maintainer upload. * Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553) * Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553) base-files (9.9+deb9u10) stretch; urgency=medium . * Change /etc/debian_version to 9.10, for Debian 9.10 point release. * Add VERSION_CODENAME to os-release. Closes: #829245. Please note that this is only for stable releases. basez (1.6-3+deb9u1) stretch; urgency=medium . * Properly decode base64url encoded strings (closes: #931041) bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5) stretch-security; urgency=high . [ Marc Deslauriers (Ubuntu) ] * CVE-2018-5743: limiting simultaneous TCP clients is ineffective. Thanks to Marc Deslauriers of Ubuntu (Closes: #927932) . [ Ondřej Surý ] * Sync Maintainer and Uploaders with unstable * [CVE-2019-6465]: Zone transfer for DLZs are executed though not permitted by ACLs. (Closes: #922955) * [CVE-2018-5745]: Avoid assertion and thus causing named to deliberately exit when a trust anchor's key is replaced with a key which uses an unsupported algorithm. (Closes: #922954) biomaj-watcher (1.2.2-4+deb9u1) stretch; urgency=medium . * Bump (Build-)Depends to default-jdk (>= 2:1.8) (aka openjdk-8). Prevent partial upgrades from jessie (openjdk-7): biomaj-watcher needs to be run with the same jdk version that was used for building. (Closes: #866980) c-icap-modules (1:0.4.4-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add support for clamav 0.101.1 (Closes: #919814). chaosreader (0.96-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Added libnet-dns-perl to Depends field. (Closes: #890589) clamav (0.101.4+dfsg-0+deb9u1) stretch; urgency=medium . * Import 0.101.4 (Closes: 921190) - CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs) (Closes:934359) - CVE-2019-12900 (An out of bounds write was possible within ClamAV's NSIS bzip) - update symbols file (bump to 101.4 and drop unused cli_strnstr). clamav (0.101.2+dfsg-3) unstable; urgency=medium . * Cherry-pick a fix from 0.101.3 to address a vulnerability to non-recursive zip bombs. clamav (0.101.2+dfsg-2) unstable; urgency=medium . * Remove python from build-depends: - Only needed for llvm, which is currently (and probably permanently) disabled - Support python2 removal, if this comes back, it will need to be python3 clamav (0.101.2+dfsg-1+deb10u1) buster; urgency=medium . * Cherry-pick a fix from 0.101.3 to address a vulnerability to non-recursive zip bombs. clamav (0.101.2+dfsg-1) unstable; urgency=high . * Import 0.101.2 - CVE-2019-1787 (An out-of-bounds heap read condition may occur when scanning PDF documents) - CVE-2019-1789 (An out-of-bounds heap read condition may occur when scanning PE files) - CVE-2019-1788 (An out-of-bounds heap write condition may occur when scanning OLE2 files) - CVE-2019-1786 (An out-of-bounds heap read condition may occur when scanning malformed PDF documents) - CVE-2019-1785 (A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives) - CVE-2019-1798 (A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives) - update symbols file - Remove DetectBrokenExecutables option from clamd template, it is deprecated. * Drop the dbgsym migration line. * Bump standards-version to 4.3.0 without further change clamav (0.101.2+dfsg-0+deb9u1) stretch; urgency=medium . * Import 0.101.2 - CVE-2019-1787 (An out-of-bounds heap read condition may occur when scanning PDF documents) - CVE-2019-1789 (An out-of-bounds heap read condition may occur when scanning PE files) - CVE-2019-1788 (An out-of-bounds heap write condition may occur when scanning OLE2 files) - CVE-2019-1786 (An out-of-bounds heap read condition may occur when scanning malformed PDF documents) - CVE-2019-1785 (A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives) - CVE-2019-1798 (A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives) - update symbols file - Remove DetectBrokenExecutables option from clamd template, it is deprecated. clamav (0.101.1+dfsg-3) unstable; urgency=medium . * Upload to unstable. clamav (0.101.1+dfsg-2) experimental; urgency=medium . [ Scott Kitterman ] * Add information to README.Debian on configuring clamav-milter's socket to work with postfix . [ Sebastian Andrzej Siewior ] * debian/libclamav-dev.install: also install clamav-types.h clamav (0.101.1+dfsg-1) experimental; urgency=medium . [ Scott Kitterman ] * Update debian/copyright * Add Build-Depends-Package to libclamav9.symbols * Update clamav-docs.doc-base for re-organized documentation * Add lintian override for source-is-missing on test file that happens to have long line length * Drop build-depends on electric-fence, upstream no longer ships the relevant tests that used it . [ Sebastian Andrzej Siewior ] * Import 0.101.1 - update symbol file - add back the json/curl configure options (don't rely on autodetect). * Add abstractions/openssl to apparmor's profile. Thanks to intrigeri for the help (Closes: #913020). * Load the apparmor profile before starting the daemon. Thanks to intrigeri for the help (Closes: #903834). * Add attach_disconnected to freshclam's apparmor profile to hopefully get it properly working in overlayfs enviroment. Thanks to Vincas Dargis (Closes: #917648). clamav (0.101.0+dfsg-1) experimental; urgency=medium . [ Scott Kitterman ] * Increase clamd socket command read timeout to 30 seconds (Closes: #915098) . [ Sebastian Andrzej Siewior ] * Import new upstream release. - update symbol file. - add new options to the config file. - package libclamav9 corekeeper (1.7~deb9u1) stretch; urgency=medium . * Backport security hardening fixes to stretch . corekeeper (1.7) unstable; urgency=medium . * Do not use a world-writable /var/crash with the dumper script and fix the permissions on upgrade as dpkg doesn't do that. (Closes: #924397) (See-also: #515211) * Handle older versions of the Linux kernel in a safer way (Closes: #924398) * Harden ownership determination and core file names * Do not truncate core names for executables with spaces * Update VCS URLs from alioth to salsa cups (2.2.1-8+deb9u4) stretch; urgency=low . * Fix multiple security/disclosure issues (Closes: #934957) - CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows - Fixed IPP buffer overflow - Fixed memory disclosure issue in the scheduler - Fixed DoS issues in the scheduler cups-filters (1.11.6-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * foomatic-rip: Changed Ghostscript call to count pages in a PDF file to use "runpdfbegin" and not the undocumented Ghostscript internal "pdfdict". (Closes: #926576, #928936) cyrus-imapd (2.5.10-3+deb9u1) stretch-security; urgency=high . * Add patch to fix arbitrary code execution via CalDAV (Closes: CVE-2019-11356) dansguardian (2.10.1.1-5.1+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Add support for clamav 0.101 (Closes: #923981). dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium . * New upstream stable release - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. - Prevent reading up to 3 bytes beyond the end of a truncated message. This could in principle be an information leak or denial of service on the system bus, but is not believed to be exploitable to crash the system bus or leak interesting information in practice. - Stop the dbus-daemon leaking memory (an error message) if delivering the message that triggered auto-activation is forbidden. This is technically a denial of service because the dbus-daemon will run out of memory eventually, but it's a very slow and noisy one, because all the rejected messages are also very likely to have been logged to the system log, and its scope is typically limited by the finite number of activatable services available. - Remove __attribute__((__malloc__)) attribute on dbus_realloc(), which does not meet the criteria for that attribute in gcc 4.7+, potentially leading to miscompilation. - Fix build with gcc 8 -Werror=cast-function-type - Fix warning from gcc 8 about suspicious use of strncpy() when populating struct sockaddr_un - Fix installation of Ducktype documentation with newer yelp-build versions * d/control: Update Vcs-Git, Vcs-Browser debian-archive-keyring (2017.5+deb9u1) stretch; urgency=medium . * Team upload. . [ Philipp Kern ] * Remove Wheezy's keys (automatic and stable release). (Closes: #901320) . [ Adam D. Barratt ] * Add Vcs-* headers. * Ensure fragments for Wheezy keys are removed. . [ Jonathan Wiltshire ] * Add my own key to the team-members keyring * Add Debian Stable Release key (10/buster) (ID: DCC9EFBF77E11517) (Closes: #917536) * Add Debian Archive Automatic Signing Key (10/buster) (ID: BCDDDC30D7C23CBBABEE) and Debian Security Archive Automatic Signing Key (10/buster) (ID: C5FF4DFAB270CAA96DFA) (Closes: #917535) debian-installer (20170615+deb9u7) stretch; urgency=medium . [ Samuel Thibault ] * Keep grub resolution in EFI boot, to avoid tiny fonts (closes: #910227). . [ Julien Cristau ] * Bump linux ABI to 4.9.0-11. debian-installer-netboot-images (20170615+deb9u7) stretch; urgency=medium . * Update to 20170615+deb9u7 images, from stretch-proposed-updates dosbox (0.74-4.2+deb9u2) stretch-security; urgency=medium . * Apply upstream fixes for two security issues: - CVE-2019-7165: long lines in batch files would overflow the parsing buffer; - CVE-2019-12594: programs running inside DOSBox could access /proc. Closes: #931222. dovecot (1:2.2.27-3+deb9u5) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2019-11500 - lib-imap: Don't accept strings with NULs - lib-imap: Make sure str_unescape() won't be writing past allocated memory - lib-managesieve: Don't accept strings with NULs - lib-managesieve: Make sure str_unescape() won't be writing past allocated memory drupal7 (7.52-2+deb9u9) stretch-security; urgency=high . * SA-CORE-2019-006: Fixes bundled library's insecure management of deserialization (Closes: #928688) evolution (3.22.6-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-15587: backport patches to mitigate possible signature/encryption spoofing in PGP encrypted mail. (Closes: #924616) + [GPG] Mails that are not encrypted look encrypted + Show security bar above message headers exim4 (4.89-2+deb9u5) stretch-security; urgency=high . * Fix remote command execution vulnerability related to "${sort}"-expansion. CVE-2019-13917 OVE-20190718-0006 exim4 (4.89-2+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix remote command execution vulnerability (CVE-2019-10149) expat (2.2.0-2+deb9u2) stretch-security; urgency=high . * Fix extraction of namespace prefix from XML name (CVE-2018-20843) (closes: #931031). fence-agents (4.0.25-1+deb9u1) stretch; urgency=medium . * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887) ffmpeg (7:3.2.14-1~deb9u1) stretch-security; urgency=medium . * New upstream release(s). - avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces (CVE-2019-9718) - avcodec/hevcdec: Avoid only partly skiping duplicate first slices (CVE-2019-11338) - avformat/asfdec_o: Check size_bmp more fully (CVE-2018-1999011) - avformat/flvenc: Check audio packet size (CVE-2018-15822) fig2dev (1:3.2.6a-2+deb9u2) stretch; urgency=medium . * 40_circle_arrowhead: Do not segfault on circle/half circle arrowheads with a magnification larger 42. This fixes CVE-2019-14275. (Closes: #933075). * Adapt salsa CI pipeline to stretch release. firefox-esr (60.7.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-18, also known as CVE-2019-11707. firefox-esr (60.7.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-14, also known as: CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-7317, CVE-2019-9797, CVE-2018-18511, CVE-2019-11698, CVE-2019-5798, CVE-2019-9800. . * debian/rules: Avoid rust build errors with newer versions of rustc by capping lints to warnings. firefox-esr (60.7.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-14, also known as: CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-7317, CVE-2019-9797, CVE-2018-18511, CVE-2019-11698, CVE-2019-5798, CVE-2019-9800. . * debian/rules: Avoid rust build errors with newer versions of rustc by capping lints to warnings. firefox-esr (60.6.3esr-1) unstable; urgency=medium . * New upstream release. - Additional fixes for addon signature validation. firefox-esr (60.6.3esr-1~deb9u1) stretch; urgency=medium . * New upstream release. - Additional fixes for addon signature validation. firefox-esr (60.6.2esr-1) unstable; urgency=medium . * New upstream release. - Fixes issues with addon signature validation. Closes: #928415, #928449. Note: this didn't affect addons installed via Debian packages. firefox-esr (60.6.2esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. - Fixes issues with addon signature validation. Closes: #928415, #928449. Note: this didn't affect addons installed via Debian packages. firefox-esr (60.6.1esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-10, also known as: CVE-2019-9810, CVE-2019-9813. fribidi (0.19.7-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * libfribidi0-udeb: Fix right-to-left output in textual version of d-i by installing the shared library files into a multi-arch libdir (Closes: #917909). fusiondirectory (1.0.19-1+deb9u1) stretch; urgency=medium . * debian/patches: + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch. Perform stricter check on LDAP success/failure (CVE-2019-11187). * debian/control: + Add to D (fusiondirectory): php-xml. (Closes: #931959). gettext (0.19.8.1-2+deb9u1) stretch; urgency=medium . * Stop xgettext() from crashing when run with --its=FILE option. Patch taken from Debian 10, which in turn was extracted from upstream git. Should help the inkscape project. Closes: #891347. See https://gitlab.com/inkscape/inkscape/issues/271 for details. ghostscript (9.26a~dfsg-0+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * protect use of .forceput with executeonly (CVE-2019-10216) ghostscript (9.26a~dfsg-0+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp) (CVE-2019-3839) * Fix lib/pdf2dsc.ps to use documented Ghostscript pdf procedures glib2.0 (2.50.3-2+deb9u1) stretch; urgency=medium . * Team upload * d/gbp.conf: Add GNOME team configuration * d/p/gfile-Limit-access-to-files-when-copying.patch: When copying files, give the temporary partial copy of the file suitably restrictive permissions (Closes: #929753; CVE-2019-12450) * d/p/keyfile-settings-Use-tighter-permissions.patch: Create directory and file with restrictive permissions when using the GKeyfileSettingsBackend. Mitigation: in this version of GLib, the GKeyfileSettingsBackend can only be used explicitly by code, and is never selected automatically. (Closes: #931234; CVE-2019-13012) * d/p/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch, d/p/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch: Avoid buffer read overrun when formatting error messages for invalid UTF-8 in GMarkup (CVE-2018-16429) * d/p/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch: Avoid NULL dereference when parsing invalid GMarkup with a malformed closing tag not paired with an opening tag (CVE-2018-16429) gocode (20150303-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * gocode-auto-complete-el: Make Pre-Depends: auto-complete-el versioned to fix upgrades from jessie to stretch. groonga (6.1.5-1+deb9u1) stretch; urgency=medium . * debian/groonga-httpd.logrotate debian/groonga-server-gqtp.logrotate - Mitigate privilege escalation by changing the owner and group of logs with "su" option. Reported by Wolfgang Hotwagner. (Closes: #928304) (CVE-2019-11675) grub2 (2.02~beta3-5+deb9u2) stretch; urgency=medium . * Cherry-pick upstream patches for Xen UEFI support (closes: #930028): - i386/relocator: Add grub_relocator64_efi relocator - multiboot2: Add tags used to pass ImageHandle to loaded image - multiboot2: Do not pass memory maps to image if EFI boot services are enabled - multiboot2: Add support for relocatable images - Use grub-file to figure out whether multiboot2 should be used for Xen.gz gsoap (2.8.35-4+deb9u2) stretch; urgency=medium . * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html gst-plugins-base1.0 (1.10.4-1+deb9u1) stretch-security; urgency=medium . * CVE-2019-9928 (Closes: #927978) gthumb (3:3.4.4.1-5+deb9u1) stretch; urgency=medium . * debian/patches/ - cve-2018-18718.patch file (Closes: #912290) CVE-2018-18718 - CWE-415: Double Free The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. . There is a suspected double-free bug with static void add_themes_from_dir() dlg-contact-sheet.c. This method involves two successive calls of g_free(buffer) (line 354 and 373), and is likely to cause double-free of the buffer. One possible fix could be directly assigning the buffer to NULL after the first call of g_free(buffer). Thanks Tianjun Wu https://gitlab.gnome.org/GNOME/gthumb/issues/18 havp (0.92a-4+deb9u1) stretch; urgency=medium . * Add support for clamav 0.101 (Closes: #920865). * Bump libclamav-dev build-depends to match heimdal (7.1.0+dfsg-13+deb9u3) stretch-security; urgency=medium . * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum. Closes: #928966. * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT. Closes: #929064. * Update test certificates to pre 2038 expiry. icu (57.1-6+deb9u3) stretch; urgency=medium . * Fix pkgdata command segfault (closes: #893009). imagemagick (8:6.9.7.4+dfsg-11+deb9u7) stretch-security; urgency=medium . * CVE-2019-10650 (Closes: #926091) * CVE-2019-9956 (Closes: #925395) intel-microcode (3.20190618.1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security (no changes) * Refer to DSA 4447-1 for details . intel-microcode (3.20190618.1) unstable; urgency=medium . * New upstream microcode datafile 20190618 + SECURITY UPDATE Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 for Sandybridge server and Core-X processors + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 * Add some missing (minor) changelog entries to 3.20190514.1 * Reformat 3.20190514.1 changelog entry to match rest of changelog intel-microcode (3.20190514.1) unstable; urgency=high . * New upstream microcode datafile 20190514 * SECURITY UPDATE Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 * New Microcodes: sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224 sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224 sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224 sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632 sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608 sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x5000021, size 47104 * Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb000036, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x200005e, size 32768 sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x7000017, size 24576 sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf000015, size 23552 sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe00000d, size 19456 sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 sig 0x000506ca, pf_mask 0x03, 2019-03-01, rev 0x0016, size 15360 sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304 sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280 sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304 sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280 intel-microcode (3.20190514.1~deb9u1) stretch-security; urgency=high . * Rebuild for stretch-security (no changes) . intel-microcode (3.20190514.1) unstable; urgency=high . * New upstream microcode datafile 20190514 * SECURITY UPDATE Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 * New Microcodes: sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224 sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224 sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224 sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632 sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608 sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x5000021, size 47104 * Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb000036, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x200005e, size 32768 sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x7000017, size 24576 sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf000015, size 23552 sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe00000d, size 19456 sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 sig 0x000506ca, pf_mask 0x03, 2019-03-01, rev 0x0016, size 15360 sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304 sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280 sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304 sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280 . intel-microcode (3.20190312.1) unstable; urgency=medium . * New upstream microcode datafile 20190312 + Removed Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + New Microcodes: sig 0x000806e9, pf_mask 0x10, 2018-10-18, rev 0x009e, size 98304 sig 0x000806eb, pf_mask 0xd0, 2018-10-25, rev 0x00a4, size 99328 sig 0x000806ec, pf_mask 0x94, 2019-02-12, rev 0x00b2, size 98304 sig 0x000906ec, pf_mask 0x22, 2018-09-29, rev 0x00a2, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-02-04, rev 0x00b0, size 97280 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2018-11-20, rev 0x0041, size 34816 sig 0x000306f4, pf_mask 0x80, 2018-11-06, rev 0x0013, size 17408 sig 0x00050654, pf_mask 0xb7, 2019-01-28, rev 0x200005a, size 33792 sig 0x00050662, pf_mask 0x10, 2018-12-06, rev 0x0019, size 32768 sig 0x00050663, pf_mask 0x10, 2018-12-06, rev 0x7000016, size 23552 sig 0x00050664, pf_mask 0x10, 2018-11-17, rev 0xf000014, size 23552 sig 0x00050665, pf_mask 0x10, 2018-11-17, rev 0xe00000c, size 19456 sig 0x000506c9, pf_mask 0x03, 2018-09-14, rev 0x0036, size 17408 sig 0x000506ca, pf_mask 0x03, 2018-09-20, rev 0x0010, size 15360 sig 0x000706a1, pf_mask 0x01, 2018-09-21, rev 0x002c, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-07-16, rev 0x009a, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-10-18, rev 0x009e, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-07-16, rev 0x009a, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-12-12, rev 0x00aa, size 98304 sig 0x000906eb, pf_mask 0x02, 2018-12-12, rev 0x00aa, size 99328 intel-microcode (3.20190312.1) unstable; urgency=medium . * New upstream microcode datafile 20190312 + Removed Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + New Microcodes: sig 0x000806e9, pf_mask 0x10, 2018-10-18, rev 0x009e, size 98304 sig 0x000806eb, pf_mask 0xd0, 2018-10-25, rev 0x00a4, size 99328 sig 0x000806ec, pf_mask 0x94, 2019-02-12, rev 0x00b2, size 98304 sig 0x000906ec, pf_mask 0x22, 2018-09-29, rev 0x00a2, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-02-04, rev 0x00b0, size 97280 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2018-11-20, rev 0x0041, size 34816 sig 0x000306f4, pf_mask 0x80, 2018-11-06, rev 0x0013, size 17408 sig 0x00050654, pf_mask 0xb7, 2019-01-28, rev 0x200005a, size 33792 sig 0x00050662, pf_mask 0x10, 2018-12-06, rev 0x0019, size 32768 sig 0x00050663, pf_mask 0x10, 2018-12-06, rev 0x7000016, size 23552 sig 0x00050664, pf_mask 0x10, 2018-11-17, rev 0xf000014, size 23552 sig 0x00050665, pf_mask 0x10, 2018-11-17, rev 0xe00000c, size 19456 sig 0x000506c9, pf_mask 0x03, 2018-09-14, rev 0x0036, size 17408 sig 0x000506ca, pf_mask 0x03, 2018-09-20, rev 0x0010, size 15360 sig 0x000706a1, pf_mask 0x01, 2018-09-21, rev 0x002c, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-07-16, rev 0x009a, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-10-18, rev 0x009e, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-07-16, rev 0x009a, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-12-12, rev 0x00aa, size 98304 sig 0x000906eb, pf_mask 0x02, 2018-12-12, rev 0x00aa, size 99328 intel-microcode (3.20190312.1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20190312.1) unstable; urgency=medium . * New upstream microcode datafile 20190312 + Removed Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + New Microcodes: sig 0x000806e9, pf_mask 0x10, 2018-10-18, rev 0x009e, size 98304 sig 0x000806eb, pf_mask 0xd0, 2018-10-25, rev 0x00a4, size 99328 sig 0x000806ec, pf_mask 0x94, 2019-02-12, rev 0x00b2, size 98304 sig 0x000906ec, pf_mask 0x22, 2018-09-29, rev 0x00a2, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-02-04, rev 0x00b0, size 97280 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2018-11-20, rev 0x0041, size 34816 sig 0x000306f4, pf_mask 0x80, 2018-11-06, rev 0x0013, size 17408 sig 0x00050654, pf_mask 0xb7, 2019-01-28, rev 0x200005a, size 33792 sig 0x00050662, pf_mask 0x10, 2018-12-06, rev 0x0019, size 32768 sig 0x00050663, pf_mask 0x10, 2018-12-06, rev 0x7000016, size 23552 sig 0x00050664, pf_mask 0x10, 2018-11-17, rev 0xf000014, size 23552 sig 0x00050665, pf_mask 0x10, 2018-11-17, rev 0xe00000c, size 19456 sig 0x000506c9, pf_mask 0x03, 2018-09-14, rev 0x0036, size 17408 sig 0x000506ca, pf_mask 0x03, 2018-09-20, rev 0x0010, size 15360 sig 0x000706a1, pf_mask 0x01, 2018-09-21, rev 0x002c, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-07-16, rev 0x009a, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-10-18, rev 0x009e, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-07-16, rev 0x009a, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-12-12, rev 0x00aa, size 98304 sig 0x000906eb, pf_mask 0x02, 2018-12-12, rev 0x00aa, size 99328 intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) jackson-databind (2.8.6-1+deb9u5) stretch-security; urgency=high . * Team upload. * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 and CVE-2019-12086. Several deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. kconfig (5.28.0-2+deb9u1) stretch-security; urgency=medium . * CVE-2019-14744 koji (1.10.0-1+deb9u1) stretch; urgency=medium . * Team upload. * Add patch based on upstream commit bdec8c7399 to fix CVE-2018-1002161, an SQL injection issue in multiple remote calls. Closes: #922922. * Add patch based on upstream commit ba7b5a3cbe to fix CVE-2017-1002153, to properly validate SCM pathes. Closes: #877921. lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency=medium . * Fix CDA regression introduced in 1.9.7-3+deb9u1 * Fix XXE vulnerability (Closes: #931117) lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium . * Add patch to fix token security (Closes: #928944, CVE-2019-12046) libcaca (0.99.beta19-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . libcaca (0.99.beta19-2.1) unstable; urgency=medium . * Non-maintainer upload. * Cherry-Pick fixes from upstream git repository: - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and CVE-2018-20549 (Closes: #917807) libclamunrar (0.101.2-0+deb9u1) stretch; urgency=high . * Import 0.101.2 - CVE-2019-1785 (A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives) - CVE-2019-1798 (A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives) libclamunrar (0.101.1-2) unstable; urgency=medium . * Upload to unstable. libclamunrar (0.101.1-1) experimental; urgency=medium . * Update to new upstream version. - ABI changes from 7 to 9, some symbols changed. * Bumped standards version to 4.3.0 without any changes. libclamunrar (0.100.1-1) unstable; urgency=medium . [ Scott Kitterman ] * Delete symlinks to files no longer shipped in libclamav7 (Closes: #903792) . [ Sebastian Andrzej Siewior ] * Update to upstream version. - Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis. libconvert-units-perl (1:0.43-11~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . libconvert-units-perl (1:0.43-11) unstable; urgency=medium . * Team upload. * Re-upload with version bumped to 1:0.43-11 in order to avoid filename clashes between 1:0.43-2 and the pre-epoch 0.43-2 version. Thanks: Andreas Beckmann for the bug report. Closes: #929615 libdatetime-timezone-perl (1:2.09-1+2019b) stretch; urgency=medium . * Update to Olson database version 2019b. This update contains contemporary changes for Brazil and Palestine. libebml (1.3.4-1+deb9u1) stretch; urgency=medium . * debian/patches: Apply upstream fixes for heap-based buffer over-reads. (CVE-2019-13615) (Closes: #932241) libevent-rpc-perl (1.08-2+deb9u1) stretch; urgency=medium . * Team upload. * Fix FTBFS due to expired test SSL certificates (Closes: #903124) libgd2 (2.2.4-2+deb9u5) stretch; urgency=high . * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm (Closes: #929821) libgovirt (0.3.4-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Regenerate test certificates with expiration date far in the future to fix test failures (closes: #915270). libpng1.6 (1.6.28-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Call png_image_free_function without guarding it with png_safe_execute (CVE-2019-7317) (Closes: #921355) libpng1.6 (1.6.28-1exp4) experimental; urgency=medium . * Override autoreconf due to debhelper bug 844504 libpng1.6 (1.6.28-1exp3) experimental; urgency=medium . * No-autoreconf for cmake builds libpng1.6 (1.6.28-1exp2) experimental; urgency=medium . * Readd multiarch patch, it was merged by upstream on master but not on 1.6 branch libpng1.6 (1.6.28-1exp1) experimental; urgency=medium . * Switch to cmake librecad (2.1.2-1+deb9u1) stretch; urgency=high . * Non-maintainer upload. * Fix CVE-2018-19105: A vulnerability was found in LibreCAD, a computer-aided design system, which could be exploited to crash the application or cause other unspecified impact when opening a specially crafted file. (Closes: #928477) libreoffice (1:5.2.7-1+deb9u10) stretch-security; urgency=high . * debian/patches/expand-LibreLogo-checks-to-global-events.diff, debian/patches/decode-url-escape-codes-and-check-each-path-segment.diff: debian/patches/keep-name-percent-encoded.diff debian/patches/Properly-obtain-location.diff: backport from libreoffice-6-3-0 branch - more fixes for CVE-2019-9848 and CVE-2018-16858 (CVE-2019-9850/CVE-2019-9851) libreoffice (1:5.2.7-1+deb9u9) stretch-security; urgency=high . * debian/patches/More-uses-of-referer-URL-with-SvxBrushItem.diff: backport patch from libreoffice-6-2 branch to fix CVE-2019-9849 libreoffice (1:5.2.7-1+deb9u8) stretch-security; urgency=high . * debian/patches/sanitize-LibreLogo-calls.diff, debian/patches/explictly-exclude-LibreLogo-from-XScript-usage.diff: add from git; fixing CVE-2019-9848 libsdl2-image (2.0.1+dfsg-2+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Multiple security issues (Closes: #932754): - CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c). - CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). - CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). libthrift-java (0.9.1-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . libthrift-java (0.9.1-2.1) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2018-1320: It was discovered that it was possible to bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. (Closes: #918736) libtk-img (1:1.4.6+dfsg-1+deb9u1) stretch; urgency=medium . * Switch from the internal copies of Jpeg, Zlib and PixarLog codecs to the libtiff ones (closes: #931422). libu2f-host (1.1.2-2+deb9u2) stretch; urgency=medium . * Backport fix for CVE-2019-9578 (Closes: #923874) * Configure git-buildpackage for stretch libvirt (3.0.0-4+deb9u4) stretch-security; urgency=medium . * Fix CVEs related to privilege escalations on R/O connections. - CVE-2019-10161: CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch - CVE-2019-10167: api-disallow-virConnectGetDomainCapabilities-on-read-only.patch * cpu_map: Define md-clear CPUID bit. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 * Add spec-ctrl and ibpb CPU features and ibrs CPU models. CVE-2017-5753, CVE-2017-5715 * Add ssbd CPU feature. CVE-2018-3639 libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743) * Fix uninitialized read of xsl:number token (CVE-2019-13117) (Closes: #931321, #933743) * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118) (Closes: #931320, #933743) linux (4.9.189-3) stretch; urgency=medium . * tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue linux (4.9.189-2) stretch; urgency=medium . [ Salvatore Bonaccorso ] * xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT (CVE-2019-15538) . [ Ben Hutchings ] * [s390x] Revert "perf test 6: Fix missing kvm module load for s390" (fixes FTBFS) linux (4.9.189-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.186 - [x86] Input: elantech - enable middle button support on 2 ThinkPads - mac80211: mesh: fix RCU warning - mac80211: free peer keys before vif down in mesh - netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments - netfilter: ipv6: nf_defrag: accept duplicate fragments again - [armhf] Input: imx_keypad - make sure keyboard can always wake up system - [arm64] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy - mac80211: only warn once on chanctx_conf being NULL - md: fix for divide error in status_resync - bnx2x: Check if transceiver implements DDM before access - ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL - net :sunrpc :clnt :Fix xps refcount imbalance on the error path - udf: Fix incorrect final NOT_ALLOCATED (hole) extent length - [x86] ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() - [x86] tls: Fix possible spectre-v1 in do_get_thread_area() - fscrypt: don't set policy for a dead directory - USB: serial: ftdi_sio: add ID for isodebug v1 - USB: serial: option: add support for GosunCn ME3630 RNDIS mode - Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" - p54usb: Fix race between disconnect and firmware loading (CVE-2019-15220) - usb: gadget: ether: Fix race between gether_disconnect and rx_submit - [i386] staging: comedi: dt282x: fix a null pointer deref on interrupt - [x86] staging: comedi: amplc_pci230: fix null pointer deref on interrupt - carl9170: fix misuse of device driver API - [x86] VMCI: Fix integer overflow in VMCI handle arrays - Revert "e1000e: fix cyclic resets at link up with active tx" - e1000e: start network tx queue only when link is up - [arm64] crypto: remove accidentally backported files - perf/core: Fix perf_sample_regs_user() mm check - [armhf] omap2: remove incorrect __init annotation - be2net: fix link failure after ethtool offline test - ppp: mppe: Add softdep to arc4 - sis900: fix TX completion - dm verity: use message limit for data block corruption message - [s390x] fix stfle zero padding - [s390x] qdio: (re-)initialize tiqdio list entries - [s390x] qdio: don't touch the dsci in tiqdio_add_input_queues() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.187 - [arm64] efi: Mark __efistub_stext_offset as an absolute symbol explicitly - [armhf] dmaengine: imx-sdma: fix use-after-free on probe error path - ath10k: Do not send probe response template for mesh - ath9k: Check for errors when reading SREV register - ath6kl: add some bounds checking - ath: DFS JP domain W56 fixed pulse type 3 RADAR detection - batman-adv: fix for leaked TVLV handler. - media: dvb: usb: fix use after free in dvb_usb_device_exit - media: marvell-ccic: fix DMA s/g desc number calculation - media: media_device_enum_links32: clean a reserved field - [armhf,arm64] net: stmmac: dwmac1000: Clear unused address entries - [armhf,arm64] net: stmmac: dwmac4/5: Clear unused address entries - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig - af_key: fix leaks in key_pol_get_resp and dump_sp. - xfrm: Fix xfrm sel prefix length validation - media: mc-device.c: don't memset __user pointer contents - net: phy: Check against net_device being NULL - tua6100: Avoid build warnings. - [armhf] media: wl128x: Fix some error handling in fm_v4l2_init_video_device() - cpupower : frequency-set -r option misses the last cpu in related cpu list - [s390x] qdio: handle PENDING state for QEBSM devices - perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode - [armhf] gpio: omap: fix lack of irqstatus_raw0 for OMAP4 - [armhf] gpio: omap: ensure irq is enabled before wakeup - regmap: fix bulk writes on paged registers - bpf: silence warning messages in core - rcu: Force inlining of rcu_read_lock() - blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration - xfrm: fix sa selector validation - perf evsel: Make perf_evsel__name() accept a NULL argument - vhost_net: disable zerocopy by default - ipoib: correcly show a VF hardware address - EDAC/sysfs: Fix memory leak when creating a csrow object - ipsec: select crypto ciphers for xfrm_algo - media: i2c: fix warning same module names - ntp: Limit TAI-UTC offset - timer_list: Guard procfs specific code - [arm64] acpi: ignore 5.1 FADTs that are reported as 5.0 - mt7601u: do not schedule rx_tasklet when the device has been disconnected - mt7601u: fix possible memory leak when the device is disconnected - ath10k: fix PCIE device wake up failed - perf tools: Increase MAX_NR_CPUS and MAX_CACHES - libata: don't request sense data on !ZAC ATA devices - [armhf] clocksource/drivers/exynos_mct: Increase priority over ARM arch timer - rslib: Fix decoding of shortened codes - rslib: Fix handling of of caller provided syndrome - ixgbe: Check DDM existence in transceiver before access - crypto: asymmetric_keys - select CRYPTO_HASH where needed - EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec - bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() - iwlwifi: mvm: Drop large non sta frames - net: usb: asix: init MAC address buffers - gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants - Bluetooth: hci_bcsp: Fix memory leak in rx_skb - Bluetooth: 6lowpan: search for destination address in all peers - Bluetooth: Check state in l2cap_disconnect_rsp - Bluetooth: validate BLE connection interval updates - gtp: fix Illegal context switch in RCU read-side critical section. - gtp: fix use-after-free in gtp_newlink() - crypto: ghash - fix unaligned memory access in ghash_setkey() - [arm64] crypto: sha1-ce - correct digest for empty data in finup - [arm64] crypto: sha2-ce - correct digest for empty data in finup - crypto: chacha20poly1305 - fix atomic sleep when using async algorithm - [armhf] regulator: s2mps11: Fix buck7 and buck8 wrong voltages - [arm64] tegra: Update Jetson TX1 GPU regulator timings - iwlwifi: pcie: don't service an interrupt that was masked - tracing/snapshot: Resize spare buffer if size changed - NFSv4: Handle the special Linux file open access mode - lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE - ALSA: seq: Break too long mutex context in the write loop - [x86] ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine - media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom() - [x86] KVM: vPMU: refine kvm_pmu err msg when event creation failed - [arm64] tegra: Fix AGIC register range - fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes. - drm/nouveau/i2c: Enable i2c pads & busses during preinit - padata: use smp_mb in padata_reorder to avoid orphaned padata jobs - 9p/virtio: Add cleanup path in p9_virtio_init - PCI: Do not poll for PME if the device is in D3cold - Btrfs: add missing inode version, ctime and mtime updates when punching hole - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields - take floppy compat ioctls to floppy.c - [x86] crypto: ccp - Validate the the error value used to index error messages - [x86] PCI: hv: Delete the device earlier from hbus->children for hot- remove - [x86] PCI: hv: Fix a use-after-free bug in hv_eject_device_work() - [ppc64el] watchpoint: Restore NV GPRs while returning from exception - eCryptfs: fix a couple type promotion bugs - [x86] intel_th: msu: Fix single mode with disabled IOMMU - Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug - usb: Handle USB3 remote wakeup for LPM enabled devices correctly - dm bufio: fix deadlock with loop device - compiler.h: Add read_word_at_a_time() function. - ext4: allow directory holes - bnx2x: Prevent load reordering in tx completion processing - bnx2x: Prevent ptp_task to be rescheduled indefinitely - igmp: fix memory leak in igmpv3_del_delrec() - ipv4: don't set IPv6 only flags to IPv4 addresses - [armhf] net: dsa: mv88e6xxx: wait after reset deactivation - net: neigh: fix multiple neigh timer scheduling - net: openvswitch: fix csum updates for MPLS actions - nfc: fix potential illegal memory access - rxrpc: Fix send on a connected, but unbound socket - [x86] sky2: Disable MSI on ASUS P6T - vrf: make sure skb->data contains ip header to make routing - macsec: fix use-after-free of skb during RX - macsec: fix checksumming after decryption - netrom: fix a memory leak in nr_rx_frame() - netrom: hold sock when setting skb->destructor - bonding: validate ip header before check IPPROTO_IGMP - tcp: Reset bytes_acked and bytes_received when disconnecting - net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling - net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query - net: bridge: stp: don't cache eth dest pointer before skb pull - [x86] perf/amd/uncore: Rename 'L2' to 'LLC' - [x86] perf/amd/uncore: Get correct number of cores sharing last level cache - [x86] perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id - NFSv4: Fix open create exclusive when the server reboots - nfsd: give out fewer session slots as limit approaches - nfsd: fix performance-limiting session calculation - nfsd: Fix overflow causing non-working mounts on 1 TB machines - [armhf,arm64] drm/panel: simple: Fix panel_simple_dsi_probe - usb: core: hub: Disable hub-initiated U1/U2 - [armhf] pinctrl: rockchip: fix leaked of_node references - memstick: Fix error cleanup path of memstick_init - [arm64] tty: serial: msm_serial: avoid system lockup condition - serial: 8250: Fix TX interrupt handling condition - drm/virtio: Add memory barriers for capset cache. - phy: renesas: rcar-gen2: Fix memory leak at error paths - [armhf] drm/rockchip: Properly adjust to a true clock in adjusted_mode - tty: serial_core: Set port active bit in uart_port_activate - usb: gadget: Zero ffs_io_data - [ppc64el] pci/of: Fix OF flags parsing for 64bit BARs - PCI: sysfs: Ignore lockdep for remove attribute - iio: iio-utils: Fix possible incorrect mask calculation - [ppc64el] recordmcount: Fix spurious mcount entries on powerpc - mfd: core: Set fwnode for created devices - [arm64] mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk - RDMA/i40iw: Set queue pair state when being queried - perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning - RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM - [ppc64el] boot: add {get, put}_unaligned_be32 to xz_config.h - f2fs: avoid out-of-range memory access - mailbox: handle failed named mailbox channel request - [ppc64el] eeh: Handle hugepages in ioremap space - 9p: pass the correct prototype to read_cache_page - mm/mmu_notifier: use hlist_add_head_rcu() - usb: wusbcore: fix unbalanced get/put cluster_id - [x86] usb: pci-quirks: Correct AMD PLL quirk detection - [x86] sysfb_efi: Add quirks for some devices with swapped width and height - [x86] speculation/mds: Apply more accurate check on hypervisor platform - [x86] hpet: Fix division by zero in hpet_time_div() - ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1 - ALSA: hda - Add a conexant codec entry to let mute led work - access: avoid the RCU grace period for the temporary subjective credentials - [arm64] dts: marvell: Fix A37xx UART0 register size - i2c: qup: fixed releasing dma without flush operation completion - [arm64] compat: Provide definition for COMPAT_SIGMINSTKSZ (Closes: #904385) - ISDN: hfcsusb: checking idx of ep configuration - media: au0828: fix null dereference in error path - media: cpia2_usb: first wake up, then free in disconnect - media: radio-raremono: change devm_k*alloc to k*alloc - sched/fair: Don't free p->numa_faults with concurrent readers - drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl - ceph: hold i_ceph_lock when removing caps for freeing inode https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.188 - [armhf] dts: rockchip: Make rk3288-veyron-minnie run at hs200 - [armhf] dts: rockchip: Make rk3288-veyron-mickey's emmc work again - [armhf] dts: rockchip: Mark that the rk3288 timer might stop in suspend - ftrace: Enable trampoline when rec count returns back to one - kernel/module.c: Only return -EEXIST for modules that have finished loading - fs/adfs: super: fix use-after-free bug - btrfs: fix minimum number of chunk errors for DUP - ceph: fix improper use of smp_mb__before_atomic() - ceph: return -ERANGE if virtual xattr value didn't fit in buffer - [s390x] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized - ACPI: fix false-positive -Wuninitialized warning - be2net: Signal that the device cannot transmit during reconfiguration - [x86] apic: Silence -Wtype-limits compiler warnings - mm/cma.c: fail if fixed declaration can't be honored - coda: add error handling for fget - coda: fix build using bare-metal toolchain - uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers - drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings - ipc/mqueue.c: only perform resource calculation if user valid - [x86] kvm: Don't call kvm_spurious_fault() from .fixup - [x86] boot: Remove multiple copy of static function sanitize_boot_params() - Btrfs: fix incremental send failure after deduplication - [armhf,arm64] mmc: dw_mmc: Fix occasional hang after tuning on eMMC - gpiolib: fix incorrect IRQ requesting of an active-low lineevent - selinux: fix memory leak in policydb_init() - [s390x] dasd: fix endless loop after read unit address configuration - [arm*] drivers/perf: arm_pmu: Fix failure path in PM notifier - xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() - IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification - infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping - coredump: fix race condition between collapse_huge_page() and core dumping - eeprom: at24: make spd world-readable again - Backport minimal compiler_attributes.h to support GCC 9 - include/linux/module.h: copy __init/__exit attrs to init/cleanup_module - objtool: Support GCC 9 cold subfunction naming scheme - [x86] mm, gup: prevent get_page() race with munmap in paravirt guest https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.189 - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure - [armhf] dts: Add pinmuxing for i2c2 and i2c3 for LogicPD SOM-LV - [armhf] dts: Add pinmuxing for i2c2 and i2c3 for LogicPD torpedo - [armhf] dts: logicpd-som-lv: Fix Audio Mute - [arm64] cpufeature: Fix CTR_EL0 field definitions - [arm64] cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} - tcp: be more careful in tcp_fragment() - HID: wacom: fix bit shift for Cintiq Companion 2 - HID: Add quirk for HP X1200 PIXART OEM mouse - RDMA: Directly cast the sockaddr union to sockaddr - IB: directly cast the sockaddr union to aockaddr - objtool: Add machine_real_restart() to the noreturn list - objtool: Add rewind_stack_do_exit() to the noreturn list - libceph: use kbasename() and kill ceph_file_part() - atm: iphase: Fix Spectre v1 vulnerability - net: bridge: delete local fdb on device init failure - net: bridge: mcast: don't delete permanent entries when fast leave is enabled - net: fix ifindex collision during namespace removal - net/mlx5: Use reversed order when unregister devices - net: sched: Fix a possible null-pointer dereference in dequeue_func() - tipc: compat: allow tipc commands without arguments - compat_ioctl: pppoe: fix PPPOEIOCSFWD handling - ip6_tunnel: fix possible use-after-free on xmit - ife: error out when nla attributes are empty - bnx2x: Disable multi-cos feature. - [armhf,arm64] spi: bcm2835: Fix 3-wire mode if DMA is enabled . [ Ben Hutchings ] * Bump ABI to 11 * siphash: implement HalfSipHash1-3 for hash tables (Closes: #935134) * netfilter: conntrack: Use consistent ct id hash calculation (fixes regression in 4.9.168-1+deb9u5) linux (4.9.185-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.185 - [arm64,armhf] usb: chipidea: udc: workaround for endpoint conflict issue - [amd64] IB/hfi1: Silence txreq allocation warnings - Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD - apparmor: enforce nullbyte at end of tag string - parport: Fix mem leak in parport_register_dev_model - [amd64] IB/hfi1: Insure freeze_work work_struct is canceled on shutdown - IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value - [mips*] uprobes: remove set but not used variable 'epc' - [armhf] net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0 - [arm64] net: hns: Fix loopback test failed at copper ports - [arm64] drm/arm/hdlcd: Allow a bit of clock tolerance - scsi: ufs: Check that space was properly alloced in copy_query_response - [s390x] qeth: fix VLAN attribute in bridge_hostnotify udev event - nvme: Fix u32 overflow in the number of namespace list calculation - btrfs: start readahead also in seed devices - can: purge socket error queue on sock destruct - [ppc64el] powerpc/bpf: use unsigned division instruction for 64-bit operations - Bluetooth: Align minimum encryption key size for LE and BR/EDR connections - Bluetooth: Fix regression with minimum encryption key size alignment - cfg80211: fix memory leak of wiphy device name - mac80211: drop robust management frames from unknown TA - mac80211: Do not use stack memory with scatterlist for GMAC - [amd64] IB/hfi1: Avoid hardlockup with flushlist_lock - 9p/rdma: do not disconnect on down_interruptible EAGAIN - 9p: acl: fix uninitialized iattr access - 9p/rdma: remove useless check in cm_event_handler - 9p: p9dirent_read: check network-provided name length - fs/proc/array.c: allow reporting eip/esp for all coredumping threads - [x86] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() - [x86] x86/speculation: Allow guests to use SSBD even if host does not - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O - cpu/speculation: Warn on unsupported mitigations= parameter - af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET - [arm64,armhf] net: stmmac: fixed new system time seconds value calculation - sctp: change to hold sk after auth shkey is created successfully - tipc: change to use register_pernet_device - tipc: check msg->req data len in tipc_nl_compat_bearer_disable - tun: wake up waitqueues after IFF_UP is set - team: Always enable vlan tx offload - bonding: Always enable vlan tx offload - ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop - net: check before dereferencing netdev_ops during busy poll - bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro - bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb - Bluetooth: Fix faulty expression for minimum encryption key size check - ASoC: soc-pcm: BE dai needs prepare when pause release after resume - spi: bitbang: Fix NULL pointer dereference in spi_unregister_master - ASoC: max98090: remove 24-bit format support if RJ is 0 - scsi: hpsa: correct ioaccel2 chaining - mm/mlock.c: change count_mm_mlocked_page_nr return type - [mips*] math-emu: do not use bools for arithmetic - [armhf] mfd: omap-usb-tll: Fix register offsets - [armhf] clk: sunxi: fix uninitialized access - [x86] KVM: degrade WARN to pr_warn_ratelimited - [x86] drm/i915/dmc: protect against reading random memory - ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages - ALSA: line6: Fix write on zero-sized buffer - ALSA: usb-audio: fix sign unintended sign extension on left shifts - [x86] lib/mpi: Fix karactx leak in mpi_powm - [armhf] drm/imx: notify drm core before sending event during crtc disable - [armhf] drm/imx: only send event on crtc disable if kept disabled - btrfs: Ensure replaced device doesn't have pending chunk allocation - [x86] tty: rocket: fix incorrect forward declaration of 'rp_init()' - [arm64] vdso: Define vdso_{start,end} as array - [x86] KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC - [amd64] IB/hfi1: Close PSM sdma_progress sleep window - [mips*] Add missing EHB in mtc0 -> mfc0 sequence. - [armhf] dmaengine: imx-sdma: remove BD_INTR for channel0 linux (4.9.184-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.169 - [x86] power: Fix some ordering bugs in __restore_processor_context() - [amd64] power/64: Use struct desc_ptr for the IDT in struct saved_context - [i386] power/32: Move SYSENTER MSR restoration to fix_processor_context() - [x86] power: Make restore_processor_context() sane - [ppc64el] powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM - [ppc64el] Fix invalid use of register expressions - [ppc64el] powerpc/64s: Add barrier_nospec - [ppc64el] powerpc/64s: Add support for ori barrier_nospec patching - [ppc64el] Avoid code patching freed init sections - [ppc64el] powerpc/64s: Patch barrier_nospec in modules - [ppc64el] powerpc/64s: Enable barrier_nospec based on firmware settings - [ppc64el] Use barrier_nospec in copy_from_user() - [ppc64el] powerpc/64: Use barrier_nospec in syscall entry - [ppc64el] powerpc/64s: Enhance the information in cpu_show_spectre_v1() - [ppc64el] powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 - [ppc64el] powerpc/64: Disable the speculation barrier from the command line - [ppc64el] powerpc/64: Make stf barrier PPC_BOOK3S_64 specific. - [ppc64el] powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC - [ppc64el] powerpc/64: Call setup_barrier_nospec() from setup_arch() - [ppc64el] powerpc/64: Make meltdown reporting Book3S 64 specific - [ppc64el] asm: Add a patch_site macro & helpers for patching instructions - [ppc64el] powerpc/64s: Add new security feature flags for count cache flush - [ppc64el] powerpc/64s: Add support for software count cache flush - [ppc64el] powerpc/pseries: Query hypervisor for count cache flush settings - [ppc64el] powerpc/powernv: Query firmware for count cache flush settings - [ppc64el] security: Fix spectre_v2 reporting - [arm64] kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region - tty: ldisc: add sysctl to prevent autoloading of ldiscs - ipv6: Fix dangling pointer when ipv6 fragment - ipv6: sit: reset ip header pointer in ipip6_rcv - openvswitch: fix flow actions reallocation - qmi_wwan: add Olicard 600 - sctp: initialize _pad of sockaddr_in before copying to user memory - tcp: Ensure DCTCP reacts to losses - vrf: check accept_source_route on the original netdevice - bnxt_en: Reset device on RX buffer errors. - bnxt_en: Improve RX consumer index validity check. - net/mlx5e: Add a lock on tir list - netns: provide pure entropy for net_hash_mix() - net: ethtool: not call vzalloc for zero sized memory request - ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type - ALSA: seq: Fix OOB-reads from strlcpy - Btrfs: do not allow trimming when a fs is mounted with the nologreplay option - block: do not leak memory in bio_copy_user_iov() - genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() - virtio: Honour 'may_reduce_num' in vring_create_virtqueue - [arm64] futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value - [x86] xen: Prevent buffer overflow in privcmd ioctl - sched/fair: Do not re-read ->h_load_next during hierarchical load calculation - PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.170 - perf/core: Restore mmap record type correctly - ext4: add missing brelse() in add_new_gdb_meta_bg() - ext4: report real fs size after failed resize - [i386] ALSA: sb8: add a check for request_region - IB/mlx4: Fix race condition between catas error reset and aliasguid flows - [x86] thermal/int340x_thermal: Add additional UUIDs - [x86] thermal/int340x_thermal: fix mode setting - perf config: Fix an error in the config template documentation - perf config: Fix a memory leak in collect_config() - perf build-id: Fix memory leak in print_sdt_events() - perf top: Fix error handling in cmd_top() - perf hist: Add missing map__put() in error case - perf evsel: Free evsel->counts in perf_evsel__exit() - [arm64] irqchip/mbigen: Don't clear eventid when freeing an MSI - [x86] hpet: Prevent potential NULL pointer dereference - [i386] x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors - [amd64] iommu/vt-d: Check capability before disabling protected memory - [x86] hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error - fix incorrect error code mapping for OBJECTID_NOT_FOUND - ext4: prohibit fstrim in norecovery mode - rsi: improve kernel thread handling to fix kernel panic - 9p: do not trust pdu content for stat item size - 9p locks: add mount option for lock retry interval - f2fs: fix to do sanity check with current segment number - [arm64] serial: uartps: console_setup() can't be placed to init section - HID: i2c-hid: override HID descriptors for certain devices - [x86] ACPI / SBS: Fix GPE storm on recent MacBookPro's - cifs: fallback to older infolevels on findfirst queryinfo retry - kernel: hung_task.c: disable on suspend - [armhf] crypto: sha256/arm - fix crash bug in Thumb2 build - [armhf] crypto: sha512/arm - fix crash bug in Thumb2 build - [amd64] iommu/dmar: Fix buffer overflow during PCI bus notification - [arm64,armhf] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() - [armel,armhf] 8839/1: kprobe: make patch_lock a raw_spinlock_t - appletalk: Fix use-after-free in atalk_proc_exit - lib/div64.c: off by one in shift - include/linux/swap.h: use offsetof() instead of custom __swapoffset macro - [x86] tpm/tpm_crb: Avoid unaligned reads in crb_recv() - [arm64,armhf] net: stmmac: Set dma ring length before enabling the DMA https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.171 - bonding: fix event handling for stacked bonds - net: atm: Fix potential Spectre v1 vulnerabilities - net: bridge: fix per-port af_packet sockets - net: bridge: multicast: use rcu to access port list from br_multicast_start_querier - net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv - tcp: tcp_grow_window() needs to respect tcp_space() - team: set slave to promisc if team is already in promisc mode - vhost: reject zero size iova range - ipv4: recompile ip options in ipv4_link_failure - ipv4: ensure rcu_read_lock() in ipv4_link_failure() - mmc: sdhci: Fix data command CRC error handling - [x86] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete - CIFS: keep FileInfo handle live during oplock break - [x86] KVM: Don't clear EFER during SMM transitions for 32-bit vCPU - [x86] iio/gyro/bmg160: Use millidegrees for temperature scale - [x86] io: accel: kxcjk1013: restore the range after resume. - [x86] staging: comedi: vmk80xx: Fix use of uninitialized semaphore - [x86] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf - [x86] staging: comedi: ni_usb6501: Fix use of uninitialized mutex - [x86] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf - ALSA: core: Fix card races between register and disconnect - Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" - [x86] Revert "svm: Fix AVIC incomplete IPI emulation" - [x86] crypto: x86/poly1305 - fix overflow during partial reduction - [x86] kprobes: Verify stack frame on kretprobe - kprobes: Mark ftrace mcount handler functions nokprobe - kprobes: Fix error check when reusing optimized probes - rt2x00: do not increment sequence number while re-transmitting - mac80211: do not call driver wake_tx_queue op during reconfig - [x86] perf/x86/amd: Add event map for AMD Family 17h - sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup - device_cgroup: fix RCU imbalance in error case - ALSA: info: Fix racy addition/deletion of nodes - percpu: stop printing kernel addresses (CVE-2018-5995) - [x86] i2c-hid: properly terminate i2c_hid_dmi_desc_override_table[] array - kernel/sysctl.c: fix out-of-bounds access when setting file-max https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.172 - kbuild: simplify ld-option implementation - cifs: do not attempt cifs operation on smb2+ rename error - tracing: Fix a memory leak by early error exit in trace_pid_write() - [mips*] scall64-o32: Fix indirect syscall number load - trace: Fix preempt_enable_no_resched() abuse - IB/rdmavt: Fix frwr memory registration - sched/numa: Fix a possible divide-by-zero - ceph: ensure d_name stability in ceph_dentry_hash() - ceph: fix ci->i_head_snapc leak - nfsd: Don't release the callback slot unless it was actually held - sunrpc: don't mark uninitialised items as VALID. - [arm64,armhf] drm/vc4: Fix memory leak during gpu reset. - [arm64,armhf] drm/vc4: Fix compilation error reported by kbuild test bot - USB: Add new USB LPM helpers - USB: Consolidate LPM checks to avoid enabling LPM twice - vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock - tipc: handle the err returned from cmd header function - slip: make slhc_free() silently accept an error pointer - [x86] intel_th: gth: Fix an off-by-one in output unassigning - fs/proc/proc_sysctl.c: Fix a NULL pointer dereference - NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. - netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable - tipc: check link name with right length in tipc_nl_compat_link_set - ipv4: add sanity checks in ipv4_link_failure() - net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query - net: rds: exchange of 8K and 1M pool - team: fix possible recursive locking when add slaves - [arm64,armhf] net: stmmac: move stmmac_check_ether_addr() to driver probe - ipv4: set the tcp_min_rtt_wlen range from 0 to one day - ipv6: frags: fix a lockdep false positive - net: IP defrag: encapsulate rbtree defrag code into callable functions - ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module - net: IP6 defrag: use rbtrees for IPv6 defrag - net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c - Documentation: Add nospectre_v1 parameter https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.173 - usbnet: ipheth: prevent TX queue timeouts when device not ready - usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set - media: vivid: check if the cec_adapter is valid - [armhf] dts: bcm283x: Fix hdmi hpd gpio pull - [s390x] limit brk randomization to 32MB - qlcnic: Avoid potential NULL pointer dereference - netfilter: nft_set_rbtree: check for inactive element after flag mismatch - netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING - usb: gadget: net2280: Fix overrun of OUT messages - usb: gadget: net2280: Fix net2280_dequeue() - staging: rtl8712: uninitialized memory in read_bbreg_hdl() - NFS: Fix a typo in nfs_init_timeout_values() - scsi: qla4xxx: fix a potential NULL pointer dereference - usb: u132-hcd: fix resource leak - ceph: fix use-after-free on symlink traversal - [s390x] scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN - [x86,arm64] libata: fix using DMA buffers on stack - gpio: of: Fix of_gpiochip_add() error path - [amd64] vfio/type1: Limit DMA mappings per container (CVE-2019-3882) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.174 - ALSA: line6: use dynamic buffers - ipv4: ip_do_fragment: Preserve skb_iif during fragmentation - ipv6/flowlabel: wait rcu grace period before put_pid() - ipv6: invert flowlabel sharing check in process and user mode - packet: validate msg_namelen in send directly - bnxt_en: Improve multicast address setup logic. - net: phy: marvell: Fix buffer overrun with stats counters - [arm64] proc: Set PTE_NG for table entries to avoid traversing them twice - [arm64] mm: print out correct page table entries - [arm64] mm: don't print out page table entries on EL0 faults - USB: yurex: Fix protection fault after device removal - USB: w1 ds2490: Fix bug caused by improper use of altsetting array - [x86] usb: usbip: fix isoc packet num validation in get_pipe - USB: core: Fix unterminated string returned by usb_string() - USB: core: Fix bug caused by duplicate interface PM usage counter - nvme-loop: init nvmet_ctrl fatal_err_work when allocate - HID: logitech: check the return value of create_singlethread_workqueue - HID: debug: fix race condition with between rdesc_show() and device removal - batman-adv: Reduce claim hash refcnt only for removed entry - batman-adv: Reduce tt_local hash refcnt only for removed entry - batman-adv: Reduce tt_global hash refcnt only for removed entry - igb: Fix WARN_ONCE on runtime suspend - net/mlx5: E-Switch, Fix esw manager vport indication for more vport commands - bonding: show full hw address in sysfs for slave entries - [arm64,armhf] net: stmmac: don't overwrite discard_frame status - [arm64,armhf] net: stmmac: fix dropping of multi-descriptor RX frames - [arm64,armhf] net: stmmac: don't log oversized frames - jffs2: fix use-after-free on symlink traversal - debugfs: fix use-after-free on symlink traversal - [amd64,ppc64el] vfio/pci: use correct format characters - scsi: core: add new RDAC LENOVO/DE_Series device - [x86] scsi: storvsc: Fix calculation of sub-channel count - [arm64] net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() - [arm64] net: hns: Use NAPI_POLL_WEIGHT for hns driver - [arm64] net: hns: Fix WARNING when remove HNS driver with SMMU enabled - hugetlbfs: fix memory leak for resv_map - [armel] orion: don't use using 64-bit DMA masks - [x86] perf/x86/amd: Update generic hardware cache events for Family 17h - scsi: RDMA/srpt: Fix a credit leak for aborted commands - selinux: never allow relabeling on context mounts - [x86] mce: Improve error message when kernel cannot recover, p2 - media: v4l2: i2c: ov7670: Fix PLL bypass register values https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.175 - scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) - ASoC:soc-pcm:fix a codec fixup issue in TDM case - [amd64] IB/hfi1: Eliminate opcode tests on mr deref - [x86] perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS - scsi: csiostor: fix missing data copy in csio_scsi_err_handler() - virtio-blk: limit number of hw queues by nr_cpu_ids - [amd64] iommu/amd: Set exclusion range correctly - mm: add 'try_get_page()' helper function - genirq: Prevent use-after-free and work list corruption - [arm64,armhf] usb: dwc3: Fix default lpm_nyet_threshold value - USB: serial: f81232: fix interrupt worker not stop - usb-storage: Set virt_boundary_mask to avoid SG overflows - scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines - UAS: fix alignment of scatter/gather segments - [x86] ASoC: Intel: avoid Oops if DMA setup fails - timer/debug: Change /proc/timer_stats from 0644 to 0600 (CVE-2017-5967) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.176 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.177 - netfilter: compat: initialize all fields in xt_init - bpf: fix struct htab_elem layout - bpf: convert htab map to hlist_nulls - [x86] platform/x86: sony-laptop: Fix unintentional fall-through - USB: serial: fix unthrottle races - [x86] libnvdimm/namespace: Fix a potential NULL pointer dereference - HID: input: add mapping for Expose/Overview key - HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys - HID: input: add mapping for "Toggle Display" key - [x86] libnvdimm/btt: Fix a kmemdup failure check - [s390x] dasd: Fix capacity calculation for large volumes - mac80211: fix unaligned access in mesh table hash function - [s390x] 3270: fix lockdep false positive on view->lock - mISDN: Check address length before reading address family - [x86] reboot, efi: Use EFI reboot for Acer TravelMate X514-51T - [x86] KVM: avoid misreporting level-triggered irqs as edge-triggered in tracing - init: initialize jump labels before command line option parsing - ipvs: do not schedule icmp errors from tunnels - [s390x] ctcm: fix ctcm_new_device error return code - [armhf] gpu: ipu-v3: dp: fix CSC handling - rtlwifi: rtl8723ae: Fix missing break in switch statement - md/raid5: Don't jump to compute_result state from check_result state - bridge: Fix error path for kobject_init_and_add() - fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied - packet: Fix error path in packet_init - vlan: disable SIOCSHWTSTAMP in container - vrf: sit mtu should not be updated when vrf netdev is the link - ipv4: Fix raw socket lookup for local traffic - bonding: fix arp_validate toggling in active-backup mode https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.178 - net: core: another layer of lists, around PF_MEMALLOC skb handling - locking/rwsem: Prevent decrement of reader count before increment - [amd64] PCI: hv: Fix a memory leak in hv_eject_device_work() - [x86] speculation/mds: Revert CPU buffer clear on double fault exit - [x86] speculation/mds: Improve CPU buffer clear documentation - [armhf] exynos: Fix a leaked reference by adding missing of_node_put - [arm64] compat: Reduce address limit - [arm64] Clear OSDLR_EL1 on CPU boot - [x86] sched/x86: Save [ER]FLAGS on context switch - crypto: chacha20poly1305 - set cra_name correctly - [ppc64el] crypto: vmx - fix copy-paste error in CTR mode - crypto: crct10dif-generic - fix use via crypto_shash_digest() - [amd64] crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() - ALSA: usb-audio: Fix a memory leak bug - ALSA: hda/hdmi - Read the pin sense from register when repolling - ALSA: hda/hdmi - Consider eld_valid when reporting jack event - ALSA: hda/realtek - EAPD turn on later - ASoC: max98090: Fix restore of DAPM Muxes - ASoC: RT5677-SPI: Disable 16Bit SPI Transfers - ocfs2: fix ocfs2 read inode data panic in ocfs2_iget - [arm64] mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values - tty/vt: fix write/write race in ioctl(KDSKBSENT) handler - jbd2: check superblock mapped prior to committing - ext4: actually request zeroing of inode table after grow - ext4: fix ext4_show_options for file systems w/o journal - Btrfs: do not start a transaction at iterate_extent_inodes() - bcache: fix a race between cache register and cacheset unregister - bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() - [arm64] ipmi:ssif: compare block number correctly for multi-part return messages - crypto: gcm - Fix error return code in crypto_gcm_create_common() - crypto: gcm - fix incompatibility between "gcm" and "gcm_base" - crypto: salsa20 - don't access already-freed walk.iv - fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...") - writeback: synchronize sync(2) against cgroup writeback membership switches - fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount - ext4: fix data corruption caused by overlapping unaligned and aligned IO - [x86] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug - [x86] KVM: Skip EFER vs. guest CPUID checks for host-initiated writes https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.179 - net: avoid weird emergency message - net/mlx4_core: Change the error print to info print - ppp: deflate: Fix possible crash in deflate_init - tipc: switch order of device registration to fix a crash - vsock/virtio: free packets during the socket release - tipc: fix modprobe tipc failed after switch order of device registration - vsock/virtio: Initialize core virtio vsock before registering the driver - md: add mddev->pers to avoid potential NULL pointer dereference - [x86] intel_th: msu: Fix single mode with IOMMU - p54: drop device reference count if fails to enable device - cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() - NFS4: Fix v4.0 client state corruption when mount - [arm64,armhf] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider - fuse: fix writepages on 32bit - fuse: honor RLIMIT_FSIZE in fuse_file_fallocate - [arm64,armhf] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 - ceph: flush dirty inodes before proceeding with remount - tracing: Fix partial reading of trace event's id file - [arm64,armhf] memory: tegra: Fix integer overflow on tick value calculation - [x86] perf intel-pt: Fix instructions sampling rate - [x86] perf intel-pt: Fix improved sample timestamp - [x86] perf intel-pt: Fix sample timestamp wrt non-taken branches - PCI: Mark Atheros AR9462 to avoid bus reset - PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum - dm delay: fix a crash when invalid device is specified - xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink - xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module - vti4: ipip tunnel deregistration fixes. - xfrm4: Fix uninitialized memory read in _decode_session4 - mac80211: Fix kernel panic due to use of txq after free - [arm64,armhf] KVM: arm/arm64: Ensure vcpu target is unset on reset failure - power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG - ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour - Revert "Don't jump to compute_result state from check_result state" - md/raid: raid5 preserve the writeback action after the parity check - btrfs: Honour FITRIM range constraints during free space trim https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.180 - ext4: do not delete unlinked inode from orphan list on failed truncate - [x86] KVM: fix return value for reserved EFER - bio: fix improper use of smp_mb__before_atomic() - Revert "scsi: sd: Keep disk read-only when re-reading partition" - [ppc64el] crypto: vmx - CTR: always increment IV as quadword - [x86] kvm: svm/avic: fix off-by-one in checking host APIC ID - [x86] libnvdimm/namespace: Fix label tracking error - [arm64] Save and restore OSDLR_EL1 across suspend/resume - gfs2: Fix sign extension bug in gfs2_update_stats - Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path - Btrfs: fix race between ranged fsync and writeback of adjacent ranges - btrfs: sysfs: don't leak memory when failing add fsid - fbdev: fix divide error in fb_var_to_videomode - hugetlb: use same fault hash key for shared and private mappings - fbdev: fix WARNING in __alloc_pages_nodemask bug - media: cpia2: Fix use-after-free in cpia2_exit - media: vivid: use vfree() instead of kfree() for dev->bitmap_cap - [x86,ppc64el] ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit - at76c50x-usb: Don't register led_trigger if usb_register_driver failed - Revert "btrfs: Honour FITRIM range constraints during free space trim" - gfs2: Fix lru_count going negative - cxgb4: Fix error path in cxgb4_init_module - mmc: core: Verify SD bus width - [arm64] dmaengine: tegra210-dma: free dma controller in remove() - [arm64,armhf] ASoC: hdmi-codec: unlock the device on startup errors - [ppc64el] boot: Fix missing check of lseek() return value - brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() - [armel,armhf] vdso: Remove dependency with the arch_timer driver internals - sched/cpufreq: Fix kobject memleak - scsi: qla2xxx: Fix a qla24xx_enable_msix() error path - iwlwifi: pcie: don't crash on invalid RX interrupt - w1: fix the resume command API - [armhf] dmaengine: pl330: _stop: clear interrupt status - mac80211/cfg80211: update bss channel on channel switch - mwifiex: prevent an array overflow - [armhf] crypto: sun4i-ss - Fix invalid calculation of hash end - bcache: return error immediately in bch_journal_replay() - bcache: fix failure in journal relplay - bcache: add failure check to run_cache_set() for journal replay - [x86] build: Move _etext to actual end of .text - smpboot: Place the __percpu annotation correctly - [amd64] mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() - HID: logitech-hidpp: use RAP instead of FAP to get the protocol version - media: au0828: stop video streaming only when last user stops - audit: fix a memory leak bug - media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() - media: pvrusb2: Prevent a buffer overflow - [ppc64el] numa: improve control of topology updates - sched/core: Check quota and period overflow at usec to nsec conversion - sched/core: Handle overflow in cpu_shares_write_u64 - USB: core: Don't unbind interfaces following device reset failure - [amd64] irq: Limit IST stack overflow check to #DB stack - i40e: don't allow changes to HW VLAN stripping on active port VLANs - [arm64] vdso: Fix clock_getres() for CLOCK_REALTIME - RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure - hwmon: (vt1211) Use request_muxed_region for Super-IO accesses - [x86] hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses - [x86] hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses - hwmon: (pc87427) Use request_muxed_region for Super-IO accesses - [x86] hwmon: (f71805f) Use request_muxed_region for Super-IO accesses - scsi: libsas: Do discovery on empty PHY to update PHY info - mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers - [arm64] mmc_spi: add a status check for spi_sync_locked - PM / core: Propagate dev->power.wakeup_path when no callbacks - rtlwifi: fix a potential NULL pointer dereference - mwifiex: Fix mem leak in mwifiex_tm_cmd - brcmfmac: fix missing checks for kmemdup - brcmfmac: convert dev_init_lock mutex to completion - brcmfmac: fix race during disconnect when USB completion is in progress - brcmfmac: fix Oops when bringing up interface during USB disconnect - scsi: ufs: Fix regulator load and icc-level configuration - scsi: ufs: Avoid configuring regulator with undefined voltage range - [arm64] cpu_ops: fix a leaked reference by adding missing of_node_put - [x86] uaccess, signal: Fix AC=1 bloat - [amd64] x86/ia32: Fix ia32_restore_sigcontext() AC leak - chardev: add additional check for minor range overlap - HID: core: move Usage Page concatenation to Main item - [armhf] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put - [armhf] ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put - cxgb3/l2t: Fix undefined behaviour - [arm64,armhf] spi: tegra114: reset controller on probe - [armhf] media: wl128x: prevent two potential buffer overflows - virtio_console: initialize vtermno value for ports - [x86,ppc64el] tty: ipwireless: fix missing checks for ioremap - [x86] mce: Fix machine_check_poll() tests for error types - usb: core: Add PM runtime calls to usb_hcd_platform_shutdown - scsi: qla4xxx: avoid freeing unallocated dma memory - [arm64] dmaengine: tegra210-adma: use devm_clk_*() helpers - media: m88ds3103: serialize reset messages in m88ds3103_set_frontend - scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices - [i386] spi : spi-topcliff-pch: Fix to handle empty DMA buffers - spi: Fix zero length xfer bug - drm: Wake up next in drm_read() chain if we are forced to putback the event https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.181 - ipv6: Consider sk_bound_dev_if when binding a raw socket to an address - llc: fix skb leak in llc_build_and_send_ui_pkt() - [armhf] net: fec: fix the clk mismatch in failed_reset path - net-gro: fix use-after-free read in napi_gro_frags() - [arm64,armhf] net: stmmac: fix reset gpio free missing - usbnet: fix kernel crash after disconnect - tipc: Avoid copying bytes beyond the supplied data - bnxt_en: Fix aggregation buffer leak under OOM condition. - ipv4/igmp: fix another memory leak in igmpv3_del_delrec() - ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST - [armhf] net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT - [armhf] net: mvneta: Fix err code path of probe - [armhf] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value - [ppc64el] crypto: vmx - ghash: do nosimd fallback manually - xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (CVE-2015-8553) - Revert "tipc: fix modprobe tipc failed after switch order of device registration" - tipc: fix modprobe tipc failed after switch order of device registration - xhci: update bounce buffer with correct sg num - xhci: Use %zu for printing size_t type - xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() - usb: xhci: avoid null pointer deref when bos field is NULL - [x86] usbip: usbip_host: fix BUG: sleeping function called from invalid context - [x86] usbip: usbip_host: fix stub_dev lock context imbalance regression - USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor - USB: sisusbvga: fix oops in error path of sisusb_probe - USB: Add LPM quirk for Surface Dock GigE adapter - USB: rio500: refuse more than one device at a time - USB: rio500: fix memory leak in close after disconnect - media: usb: siano: Fix general protection fault in smsusb - media: usb: siano: Fix false-positive "uninitialized variable" warning - media: smsusb: better handle optional alignment - [s390x] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove - [s390x] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) - Btrfs: fix race updating log root item during fsync - [ppc64el] powerpc/perf: Fix MMCRA corruption by bhrb_filter - ALSA: hda/realtek - Set default power save node to 0 - drm/nouveau/i2c: Disable i2c bus access after ->fini() - [arm64] tty: serial: msm_serial: Fix XON/XOFF - memcg: make it work on sparse non-0-node systems - kernel/signal.c: trace_signal_deliver when signal_group_exit - CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM - [x86] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set - binder: Replace "%p" with "%pK" for stable (CVE-2018-20509) - binder: replace "%p" with "%pK" (CVE-2018-20510) - fs: prevent page refcount overflow in pipe_buf_get (CVE-2019-11487) - mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages - mm, gup: ensure real head page is ref-counted when using hugepages - mm: prevent get_user_pages() from overflowing page refcount (CVE-2019-11487) - mm: make page ref count overflow check tighter and more explicit (CVE-2019-11487) - media: uvcvideo: Fix uvc_alloc_entity() allocation alignment - ethtool: fix potential userspace buffer overflow - neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit - net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query - net: rds: fix memory leak in rds_ib_flush_mr_pool - pktgen: do not sleep with the thread lock held. - ipv6: fix EFAULT on sendto with icmpv6 and hdrincl - ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 - Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")" - Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied" - rcu: locking and unlocking need to always be at least barriers - fuse: fallocate: fix return with locked inode - [x86] power: Fix 'nosmt' vs hibernation triple fault during resume - [ppc64el] genwqe: Prevent an integer overflow in the ioctl - [x86] drm/gma500/cdv: Check vbt config bits when detecting lvds panels - drm/radeon: prefer lower reference dividers - [x86] drm/i915: Fix I915_EXEC_RING_MASK - TTY: serial_core, add ->install - fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock - fuse: Add FOPEN_STREAM to use stream_open() - ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled - ethtool: check the return value of get_regs_len https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.182 - tcp: reduce tcp_fastretrans_alert() verbosity https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.183 - fs/fat/file.c: issue flush after the writeback of FAT - sysctl: return -EINVAL if val violates minmax - ipc: prevent lockup on alloc_msg and free_msg - [armhf] prevent tracing IPI_CPU_BACKTRACE - hugetlbfs: on restore reserve error path retain subpool reservation - mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE - [armhf,ppc64el] mm/cma.c: fix crash on CMA allocation if bitmap allocation fails - mm/slab.c: fix an infinite loop in leaks_show() - kernel/sys.c: prctl: fix false positive in validate_prctl_map() - [arm64] drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER - [x86] mfd: intel-lpss: Set the device in reset state when init - mfd: twl6040: Fix device init errors for ACCCTL register - [x86] perf/intel: Allow PEBS multi-entry in watermark mode - [arm64] drm/bridge: adv7511: Fix low refresh rate selection - objtool: Don't use ignore flag for fake jumps - [arm64] pwm: meson: Use the spin-lock only to protect register modifications - ntp: Allow TAI-UTC offset to be set to zero - f2fs: fix to avoid panic in do_recover_data() - f2fs: fix to clear dirty inode in error path of f2fs_iget() - f2fs: fix to do sanity check on valid block count of segment - configfs: fix possible use-after-free in configfs_register_group - [armhf] watchdog: imx2_wdt: Fix set_timeout for big timeout values - watchdog: fix compile time error of pretimeout governors - [x86] iommu/vt-d: Set intel_iommu_gfx_mapped correctly - ALSA: hda - Register irq handler after the chip initialization - nvmem: core: fix read buffer in place - fuse: retrieve: cap requested size to negotiated max_write - nfsd: allow fh_want_write to be called twice - [x86] PCI: Fix PCI IRQ routing table memory leak - platform/chrome: cros_ec_proto: check for NULL transfer function - [armhf] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 - [armhf] dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA - [armhf] dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA - [armhf] dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA - [armhf] dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA - [armhf] dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA - [ppc64el] PCI: rpadlpar: Fix leaked device_node references in add/remove paths - [x86] platform: intel_pmc_ipc: adding error handling - [x86] video: hgafb: fix potential NULL pointer dereference - [arm64] PCI: xilinx: Check for __get_free_pages() failure - [armhf] gpio: gpio-omap: add check for off wake capable gpios - [x86] dmaengine: idma64: Use actual device for DMA transfers - [armhf] pwm: tiehrpwm: Update shadow register for disabling PWMs - [armhf] dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa - pwm: Fix deadlock warning when removing PWM device - [armhf] exynos: Fix undefined instruction during Exynos5422 resume - ALSA: seq: Cover unsubscribe_port() in list_mutex - ALSA: oxfw: allow PCM capture for Stanton SCS.1m - libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk - mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node - fs/ocfs2: fix race in ocfs2_dentry_attach_lock() - signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO - ptrace: restore smp_rmb() in __ptrace_may_access() - media: v4l2-ioctl: clear fields in s_parm - bcache: fix stack corruption by PRECEDING_KEY() - cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() - [x86] uaccess, kcov: Disable stack protector - ALSA: seq: Fix race of get-subscription call vs port-delete ioctls - Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var - scsi: lpfc: add check for loss of ndlp when sending RRQ - [arm64] mm: Inhibit huge-vmap with ptdump - scsi: bnx2fc: fix incorrect cast to u64 on shift operation - usbnet: ipheth: fix racing condition - [x86] KVM: pmu: do not mask the value that is written to fixed PMUs - [s390x] KVM: fix memory slot handling for KVM_SET_USER_MEMORY_REGION - [x86] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read - [x86] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() - [arm64,armhf] usb: dwc2: Fix DMA cache alignment issues - USB: Fix chipmunk-like voice when using Logitech C270 for recording audio. - USB: usb-storage: Add new ID to ums-realtek - USB: serial: pl2303: add Allied Telesis VT-Kit3 - USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode - USB: serial: option: add Telit 0x1260 and 0x1261 compositions - [armhf] rtc: pcf8523: don't return invalid date when battery is low - ax25: fix inconsistent lock state in ax25_destroy_timer - be2net: Fix number of Rx queues used for flow hashing - ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero - lapb: fixed leak of control-blocks. - neigh: fix use-after-free read in pneigh_get_next - [x86] perf/intel/ds: Fix EVENT vs. UEVENT PEBS constraints - mISDN: make sure device name is NUL terminated - [x86] CPU/AMD: Don't force the CPB cap when running under a hypervisor - perf/ring_buffer: Fix exposing a temporarily decreased data_head - perf/ring_buffer: Add ordering to rb->nest increment - i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr - configfs: Fix use-after-free when accessing sd->s_dentry - perf data: Fix 'strncat may truncate' build failure with recent gcc - perf record: Fix s390 missing module symbol and warning for non-root users - [ppc64el] KVM: Book3S: Use new mutex to synchronize access to rtas token list - [ppc64el] KVM: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu - scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() - scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask - scsi: libsas: delete sas port if expander discover failed - vfs: Abort file_remove_privs() for non-reg. files https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.184 - tcp: refine memory limit test in tcp_fragment() (Closes: #930904) . [ Salvatore Bonaccorso ] * [x86] Disable R3964 due to lack of security support * Refresh version.patch for context changes in 4.9.170 * [rt] Drop 0053-arm-kprobe-replace-patch_lock-to-raw-lock.patch applied in 4.9.170 * Revert "x86: stop exporting msr-index.h to userland" * [rt] Add new signing subkey for Steven Rostedt * [rt] Update to 4.9.178-rt131: - futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() - Update "kernel/hotplug: restore original cpu mask oncpu/down" to always call arch_smt_update() * Refresh 0058-net-ena-complete-host-info-to-match-latest-ENA-spec.patch for context changes in 4.9.180 * Drop efi-libstub-unify-command-line-param-parsing.patch * Refresh arm64-add-kernel-config-option-to-set-securelevel-wh.patch for context changes in 4.9.181 . [ Ben Hutchings ] * Drop "kbuild: Use -nostdinc in compile tests", which is no longer needed. * [rt] Fix build failure after "genirq: Prevent use-after-free and work list corruption": - kthread: Convert worker lock to raw spinlock - kthread: add a global worker thread. - genirq: convert affinity_notify swork to kthread * Bump ABI to 10 and apply deferred changes: - genirq: Avoid summation loops for /proc/stat * [ppc64el] Disable PPC_TRANSACTIONAL_MEM (Closes: #866122) linux (4.9.168-1+deb9u3) stretch-security; urgency=high . [ Salvatore Bonaccorso ] * tcp: limit payload size of sacked skbs (CVE-2019-11477) * tcp: tcp_fragment() should apply sane memory limits (CVE-2019-11478) * tcp: add tcp_min_snd_mss sysctl (CVE-2019-11479) * tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() * tcp: fix fack_count accounting on tcp_shift_skb_data() . [ Ben Hutchings ] * tcp: Avoid ABI change for DoS fixes * mm/mincore.c: make mincore() more conservative (CVE-2019-5489) * brcmfmac: add length checks in scheduled scan result handler * brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500) * brcmfmac: add subtype check for event handling in data path (CVE-2019-9503) * tty: mark Siemens R3964 line discipline as BROKEN (CVE-2019-11486) * coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). (CVE-2019-11815) (Closes: #928989) * ext4: zero out the unused memory region in the extent tree block (CVE-2019-11833) * Bluetooth: hidp: fix buffer overflow (CVE-2019-11884) * mwifiex: Fix possible buffer overflows at parsing bss descriptor (CVE-2019-3846) * mwifiex: Abort at too short BSS descriptor element * mwifiex: Don't abort on small, spec-compliant vendor IEs * mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (CVE-2019-10126) linux (4.9.168-1+deb9u2) stretch-security; urgency=high . [ Salvatore Bonaccorso ] * Revert "block/loop: Use global lock for ioctl() operation." (Closes: #928125) . linux (4.9.168-1+deb9u1) stretch-security; urgency=high . * [x86] Update speculation mitigations: - x86/MCE: Save microcode revision in machine check records - x86/cpufeatures: Hide AMD-specific speculation flags - x86/bugs: Add AMD's variant of SSB_NO - x86/bugs: Add AMD's SPEC_CTRL MSR usage - x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features - x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR - x86/microcode/intel: Add a helper which gives the microcode revision - x86/microcode/intel: Check microcode revision before updating sibling threads - x86/microcode: Make sure boot_cpu_data.microcode is up-to-date - x86/microcode: Update the new microcode revision unconditionally - x86/mm: Use WRITE_ONCE() when setting PTEs - bitops: avoid integer overflow in GENMASK(_ULL) - x86/speculation: Simplify the CPU bug detection logic - locking/atomics, asm-generic: Move some macros from to a new file - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation - x86/cpu: Sanitize FAM6_ATOM naming - Documentation/l1tf: Fix small spelling typo - x86/speculation: Apply IBPB more strictly to avoid cross-process data leak - x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation - x86/speculation: Propagate information about RSB filling mitigation to sysfs - x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off - x86/speculation: Update the TIF_SSBD comment - x86/speculation: Clean up spectre_v2_parse_cmdline() - x86/speculation: Remove unnecessary ret variable in cpu_show_common() - x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() - x86/speculation: Disable STIBP when enhanced IBRS is in use - x86/speculation: Rename SSBD update functions - x86/speculation: Reorganize speculation control MSRs update - x86/Kconfig: Select SCHED_SMT if SMP enabled - sched: Add sched_smt_active() - x86/speculation: Rework SMT state change - x86/l1tf: Show actual SMT state - x86/speculation: Reorder the spec_v2 code - x86/speculation: Mark string arrays const correctly - x86/speculataion: Mark command line parser data __initdata - x86/speculation: Unify conditional spectre v2 print functions - x86/speculation: Add command line control for indirect branch speculation - x86/speculation: Prepare for per task indirect branch speculation control - x86/process: Consolidate and simplify switch_to_xtra() code - x86/speculation: Avoid __switch_to_xtra() calls - x86/speculation: Prepare for conditional IBPB in switch_mm() - x86/speculation: Split out TIF update - x86/speculation: Prepare arch_smt_update() for PRCTL mode - x86/speculation: Prevent stale SPEC_CTRL msr content - x86/speculation: Add prctl() control for indirect branch speculation - x86/speculation: Enable prctl mode for spectre_v2_user - x86/speculation: Add seccomp Spectre v2 user space protection mode - x86/speculation: Provide IBPB always command line options - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID - x86/msr-index: Cleanup bit defines - x86/speculation: Consolidate CPU whitelists - Documentation: Move L1TF to separate directory - cpu/speculation: Add 'mitigations=' cmdline option - x86/speculation: Support 'mitigations=' cmdline option - x86/speculation/mds: Add 'mitigations=' support for MDS - x86/cpu/bugs: Use __initconst for 'const' init data * [x86] Mitigate Microarchitectural Data Sampling (MDS) vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091): - x86/speculation/mds: Add basic bug infrastructure for MDS - x86/speculation/mds: Add BUG_MSBDS_ONLY - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests - x86/speculation/mds: Add mds_clear_cpu_buffers() - x86/speculation/mds: Clear CPU buffers on exit to user - x86/kvm/vmx: Add MDS protection when L1D Flush is not active - x86/speculation/mds: Conditionally clear CPU buffers on idle entry - x86/speculation/mds: Add mitigation control for MDS - x86/speculation/mds: Add sysfs reporting for MDS - x86/speculation/mds: Add mitigation mode VMWERV - Documentation: Add MDS vulnerability documentation - x86/speculation/mds: Add mds=full,nosmt cmdline option - x86/speculation: Move arch_smt_update() call to after mitigation decisions - x86/speculation/mds: Add SMT warning message - x86/speculation/mds: Fix comment - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off - x86/mds: Add MDSUM variant to the MDS documentation - Documentation: Correct the possible MDS sysfs values - x86/speculation/mds: Fix documentation typo * [x86] msr-index: Remove dependency on * [rt] Update patches to apply on top of the speculation mitigation changes * [x86] mce, tlb: Ignore ABI changes linux-latest (80+deb9u9) stretch; urgency=medium . * Update to 4.9.0-11 linux-latest (80+deb9u8) stretch; urgency=medium . * Update to 4.9.0-10 liquidsoap (1.1.1-7.2+deb9u1) stretch; urgency=medium . * Fix compilation with Ocaml 4.02 (Closes: #812591) * Add new uploader llvm-toolchain-7 (1:7.0.1-8~deb9u2) stretch; urgency=medium . * Disable ocaml on ppc64el and s390x. llvm-toolchain-7 (1:7.0.1-8~deb9u1) stretch; urgency=medium . * Backport to stretch. llvm-toolchain-7 (1:7.0.1-7) unstable; urgency=medium . * Fix an ABI issue introduced with the kfreebsd support (Closes: #922731) * kfreebsd/kfreebsd-triple-clang.diff: update of the patch to fix the kfreebsd FTBFS (Closes: #921246) * Enable ld gold for kfreebsd-amd64 and kfreebsd-i386 Many thanks to Svante Signell for the three updates . [ Matthias Klose ] * Remove the autopkg test for a genuine LLVM bug. llvm-toolchain-7 (1:7.0.1-6) unstable; urgency=medium . * Add support for kfreebsd (Closes: #921246) Many thanks to Svante Signell for all patches llvm-toolchain-7 (1:7.0.1-4) unstable; urgency=medium . * Remove dbgsym packages from debci because of bug #917528 . [ Gianfranco Costamagna ] * Ignore a test result on i386, due to upstream bug 26580#c18 llvm-toolchain-7 (1:7.0.1-3) unstable; urgency=medium . * Also install clang-7-dbgsym libclang1-7-dbgsym in autopkgtest to verify that debug symbols are present * Cherry-pick upstream fix D52340 to address a rustc debuginfo (Closes: #917209) * Change the jit debug path from $HOME/.debug/jit/ to $TMPDIR/.debug/jit/ (Closes: #916393) * Document in README.source some Debian/Ubuntu specific changes llvm-toolchain-7 (1:7.0.1-2) unstable; urgency=medium . * Enable -DENABLE_LINKER_BUILD_ID:BOOL=ON as, unlike gcc, isn't enabled by default in clang. Thanks to Adrian Bunk for the patch. Once more, thanks to Rebecca Palmer (Closes: #916975) * Build with -g1 also on 64bit architectures (thanks to Adrian too) llvm-toolchain-7 (1:7.0.1-1) unstable; urgency=medium . * New release * Remove the dbg workaround. Hopefully, the new version of binutils will fix it (Closes: #913946) llvm-toolchain-7 (1:7.0.1~+rc3-2) unstable; urgency=medium . * Fix llvm-config by stripping unnecessary flags See also https://bugs.llvm.org/show_bug.cgi?id=8220 (Closes: #697755, #914838) * Try to workaround the debug issues by adding -fno-addrsig to the *FLAGS One more time, thanks to Rebecca Palmer (Closes: #913946) The goal is to provide correct debug packages. Workaround https://sourceware.org/bugzilla/show_bug.cgi?id=23788 * Force the chmod +x on llvm-X/bin/* because it was sometimes removed by the strip process * Force the link to atomic also for i386 as it fails on Debian jessie too * Improved the debian/patches/series presentation by creating categories * Improve the separation between *FLAGS for gcc and clang. This is done for -fno-addrsig as it doesn't exit for gcc This can be done with the BOOTSTRAP_CMAKE_CXX_FLAGS option llvm-toolchain-7 (1:7.0.1~+rc3-1) unstable; urgency=medium . * New testing release * disable the llvm-strip as it created too big llvm lib . [ John Paul Adrian Glaubitz ] * Add patch to add powerpcspe support to clang * Add patch to fix register spilling on powerpcspe * Add patch to optimize double parameter calling setup on powerpcspe llvm-toolchain-7 (1:7.0.1~+rc2-8) unstable; urgency=medium . * Use llvm-strip instead of binutils strip. Two reasons: - with clang stage2, the dbg packages were not generated - strip fails on stretch and other ubuntu on some archives For this, I had to silent the --enable-deterministic-archives option (https://bugs.llvm.org/show_bug.cgi?id=39789). Thanks to Rebecca Palmer for the idea (Closes: #913946) * Change the i386 base line to avoid using sse2 extension This is more important now that llvm is built with clang instead of gcc. Thanks to Fanael Linithien for the patch (Closes: #914770, #894840) llvm-toolchain-7 (1:7.0.1~+rc2-7) unstable; urgency=medium . * Bring back mips-rdhwr.diff as it isn't in rc2 llvm-toolchain-7 (1:7.0.1~+rc2-6) unstable; urgency=medium . [ Samuel Thibault ] * D53557-hurd-self-exe-realpath.diff: Fix paths returned by llvm-config (See Bug#911817). . [ Sylvestre Ledru ] * Fix the FTBFS on armel for real! Thanks to Adrian Bunk Force the activation of FeatureVFP3 & FeatureD16 llvm-toolchain-7 (1:7.0.1~+rc2-5) unstable; urgency=medium . [ Samuel Thibault ] * D54079-hurd-openmp.diff, D54338-hurd-libcxx-threads-build.diff, D54339-hurd-libcxx-threads-detection.diff, D54378-hurd-triple.diff, D54379-hurd-triple-clang.diff, D54677-hurd-path_max.diff, hurd-cxx-paths.diff: New patches to fix hurd build. . [ Sylvestre Ledru ] * Remove mips-rdhwr.diff as it has been applied upstream * Fix a baseline violation on armhf (Closes: #914268) clang-arm-default-vfp3-on-armv7a.patch has been updated to disable neon in another place llvm-toolchain-7 (1:7.0.1~+rc2-4) unstable; urgency=medium . * Workaround the build issues on armhf Thanks to Adrian Bunk for the idea * Remove useless symlink /usr/include/c++ -> ../lib/llvm-7/include/c++ (Closes: #913400) llvm-toolchain-7 (1:7.0.1~+rc2-3) unstable; urgency=medium . * Disable gold for sparc* (Closes: #913260) * Hide a symbol in openmp for mips64el * Try to integrate a pach to make pch reproducible Thanks to Rebecca Palmer for the patch (Closes: #877359) * Fix the misscompilation issue causing rustc to crash (Closes: #913271) Might cause some ABI issues but no real good solution. See https://bugs.llvm.org/show_bug.cgi?id=39427 llvm-toolchain-7 (1:7.0.1~+rc2-2) unstable; urgency=medium . * Fix a non-break space in a patch (Closes: #913213) llvm-toolchain-7 (1:7.0.1~+rc2-1) unstable; urgency=medium . * Upload of 7.0.1 rc2 into unstable * New testing release * Enable the stage2 bootstrap: - stage1 = build clang with gcc - stage2 = clang building itself (Closes: #909234) * Bring back the Disable NEON generation on armhf patch which was gone Should fix the FTBFS on armhf (Closes: #842142) * Update the clang manpage to remove osx specific options and to add -arch (Closes: #743133) * Bring back usr/lib/@DEB_HOST_MULTIARCH@/{libiomp5.so, libomp5.so} symlink for gcc (Closes: #912641) llvm-toolchain-7 (1:7.0.1~+rc2-1~exp1) experimental; urgency=medium . * New testing release llvm-toolchain-7 (1:7-9~exp1) experimental; urgency=medium . * Remove the dump of cmake error file (too confusing) * Try to fix the bootstrap FTBFS : - on armel by forcing the link to -latomic - mips-rdhwr.diff: backport D51773 to fix an assembly issue on mips. Thanks to jrtc27 for finding the issue. llvm-toolchain-7 (1:7-8) unstable; urgency=medium . * Update the watch file to display the right version (even if the download will fail) * clang-7 suggests libomp-7-dev instead of libomp-dev * Make sure that we don't conflict openmp & libc++ with llvm-defaults's (Closes: #912544) * Handle better the non coinstability of openmp & libc++ (like we are doing with python-clang-*) * Backport upstream fix D51749 to address a rust aarch64 issues (Closes: #909705) * Add tests from old bugs to make sure they don't come back (Closes: #889832, #827866) * The sanitizers use the versionned llvm-symbolizer provided by the llvm-X package (Closes: #753572) llvm-toolchain-7 (1:7-7~exp2) experimental; urgency=medium . * clangd-atomic-cmake.patch: Link against atomic for clangd in i386 * When the cmake configure of the stage2 is failing, dump the cmake error log * Declare some variables (-Wno-*) for all platforms (was failing on mips) * Update the watch file to display the right version (even if the download will fail) llvm-toolchain-7 (1:7-7~exp1) experimental; urgency=medium . * Experiment the clang bootstrap * Try to boostrap clang using clang llvm-toolchain-7 (1:7-6) unstable; urgency=medium . * Team upload * Upload to unstable llvm-toolchain-7 (1:7-6~exp2) experimental; urgency=medium . * Disable for now the bootstrapping clang patches llvm-toolchain-7 (1:7-6~exp1) experimental; urgency=medium . * Add python-pygments as dep of llvm-7-tools because opt-viewer.py needs it * Add back libomp5-X.Y.symbols.in (untested) * Start the work on bootstraping clang - bootstrap-with-openmp-version-export-missing.diff: fix a link issue https://bugs.llvm.org/show_bug.cgi?id=39200 - bootstrap-fix-include-next.diff: Fix an include issue at bootstrap phase https://bugs.llvm.org/show_bug.cgi?id=39162 * Fix the install of clang bash completion . [ Gianfranco Costamagna ] * Take option two in bug #877567 to fix FTBFS on mips and mipsel llvm-toolchain-7 (1:7-5) unstable; urgency=medium . * In debci, run qualify-clang.sh in verbose mode * Only run the g++ test if g++ exist . [ Reshabh Sharma ] * Run check-openmp to test OpenMP llvm-toolchain-7 (1:7-4) unstable; urgency=medium . * Backport a fix to improve scan-build code error. Thanks to Roman Lebedev for the fix(Closes: #909662) * Remove bat files https://bugs.llvm.org/show_bug.cgi?id=30755 * Install bash-completion for clang * Disable ocaml on armel llvm-toolchain-7 (1:7-3) unstable; urgency=medium . * Fix a syntax issue in a scan-build patch * Fix the autopkgtest script (no gcc in the test) * remove dep from lld to llvm-7-dev because lld doesn't use LLVM LTO * remove old Replaces/Breaks * Standards-Version: 4.2.1 llvm-toolchain-7 (1:7-2) unstable; urgency=medium . * Fix the ftbfs under armel on libc++ and enable openmp on armel. Thanks to Adrian Bunk for the patch * Make libc++, libc++abi & openmp NOT co-installable Rational: the benefits are limited compared to the drawback. We should have issues like: - built with libc++-8-dev - run with libc++1-7 (Closes: #903802) * Remove circular dependency by removing python-lldb-7: Depends: liblldb-7-dev (Closes: #888889) llvm-toolchain-7 (1:7-1) unstable; urgency=medium . * Stable release * Also manages clang-X as tool for scan-build see https://reviews.llvm.org/D52151 llvm-toolchain-7 (1:7~+rc3-5) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * Add patch to fix missing include and library paths on x32 . [ Sylvestre Ledru ] * Only rename libomp when openmp is built llvm-toolchain-7 (1:7~+rc3-4) unstable; urgency=medium . [ Sylvestre Ledru ] * libc++-7-dev doesn't provide libstdc++-dev anymore (Closes: #908738) . [ Gianfranco Costamagna ] * Force polly cmake removal on arch:all because of --fail-missing . [ Reshabh Sharma ] * Make OpenMP packages coinstallable from version 7 * Make libc++ packages coinstallable from version 7 . [ John Paul Adrian Glaubitz ] * Add patch to fix missing MultiArch include dir on powerpcspe (Closes: #908791) * Disable LLDB on riscv64 llvm-toolchain-7 (1:7~+rc3-3) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * Disable OpenMP on unsupported architecture x32 . [ Sylvestre Ledru ] * Build llvm using -DLLVM_USE_PERF=yes (Closes: #908707) . [ Gianfranco Costamagna ] * Install polly only on arch:all packages llvm-toolchain-7 (1:7~+rc3-2) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * Fix inverted logic in ifeq statement for POLLY_ENABLE and OPENMP_ENABLE (Closes: #908646) . [ Gianfranco Costamagna ] * Drop gnustep and gnustep-devel suggestions (Closes: #902847) * Enable polly on s390x * Disable omp on armel mips and mipsel for now llvm-toolchain-7 (1:7~+rc3-1) unstable; urgency=medium . [ John Paul Adrian Glaubitz ] * Disable OpenMP on unsupported architectures powerpc, powerpcspe, riscv64 and sparc64 (Closes: #907912) . [ Sylvestre Ledru ] * New snapshot release llvm-toolchain-7 (1:7~+rc2-1~exp3) experimental; urgency=medium . * Remove libtool flex, bison, dejagnu, tcl, expect, and perl from the build deps (testing) * Disable force-gcc-header-obj.diff as it is introducing some regressions in the search headers (Closes: #903709) . [ Gianfranco Costamagna ] * Fix build on armhf, by removing some installed package * Fix build on s390x, by disabling OpenMP * Add liblldb-7-dev to python-lldb runtime dependencies, needed to import it * Enable lld on arm64, mips64el * Enable lldb on mips64el . [ Reshabh Sharma ] * Add version for libc++ and OpenMP packages breaks/replaces * Remove libc++-helpers package - No real value - Just two scripts - Command line arguments aren't that complex * Fix autopkgtest support llvm-toolchain-7 (1:7~+rc2-1~exp2) experimental; urgency=medium . * Force sphinx to be >> 1.2.3 * also ignore libc++experimental.a on dh_strip (fails on stretch) * Make libc++-7-dev & libc++abi-7-dev coinstallable . [ John Paul Adrian Glaubitz ] * Don't build with ld.gold on powerpcspe * Disable polly on powerpcspe * Add upstream patch to make rustc build on powerpc . [ Gianfranco Costamagna ] * Enable lld on ppc64el llvm-toolchain-7 (1:7~+rc2-1~exp1) experimental; urgency=medium . * New snapshot release * dh_strip should be verbose * On Stretch (binutils 2.28), do not run strip on libFuzzer.a, libc++.a & libc++abi.a because it segfaults * Fixed "weak-library-dev-dependency libc++-7-dev on libc++-7-helpers" * Fixed "libomp5-7: shlibs-declares-dependency-on-other-package libomp5-7) (>= 1:7~svn298832-1~)" * Also use the local cmake binary if available (for trusty) and take in account the PRE_PROCESS_CONF option . [ Reshabh Sharma ] * Fixed "Lintian warnings for libc++abi-7-dev package" - Warning: libc++abi-7-dev: breaks-without-version libc++-dev - Warning: libc++abi-7-dev: breaks-without-version libc++abi-dev - Warning: llvm-toolchain-7 source: binaries-have-file-conflict libc++abi-7-dev libc++abi1-7 usr/lib/llvm-7/lib/libc++abi.so llvm-toolchain-7 (1:7~+rc1-1~exp2) experimental; urgency=medium . * Disable force-gcc-header-obj.diff as it is introducing some regressions in the search headers (Closes: #903709) * libc++-7-dev should depend on libc++-7-helpers (and not libc++-helpers) * Fix the links in the helper package . [ Reshabh Sharma ] * Fix the path to libc++ header * libc++.so was in two packages llvm-toolchain-7 (1:7~+rc1-1~exp1) experimental; urgency=medium . * First testing release of 7 - Rename packages - Update the VCS-* URL * Standards-Version to 4.2.0 . [ Dimitri John Ledkov ] * Enable lldb on ppc64el LP: #1777136 . [ Reshabh Sharma ] * Integrate libcxx and libcxxabi as part of the llvm-toolchain packages Very similar to the previous packages except that libc++abi-7-test & libc++-7-test are no longer shipped Outcome of the LLVM GSoC 2018 (Closes: #813673) mariadb-10.1 (10.1.41-0+deb9u1) stretch; urgency=medium . * SECURITY UPDATE: New upstream version 10.1.41. Includes fixes for the following security vulnerabilities: - CVE-2019-2737 - CVE-2019-2739 - CVE-2019-2740 - CVE-2019-2805 * Previous release 10.1.39 includes fixes for the following security vulnerabilities: - CVE-2019-2627 - CVE-2019-2614 * Amend previous changelog entries to include newly released CVE numbers. * Gitlab-CI: Sync latest version from Debian Sid but with Stretch adaptions * Uses respolveip from correct path as per upstream fix (Closes: #928758) mediawiki (1:1.27.7-1~deb9u1) stretch-security; urgency=medium . * New upstream version 1.27.6 and 1.27.7 (security release), fixing CVE-2019-12466, CVE-2019-12467, CVE-2019-12468, CVE-2019-12469, CVE-2019-12470, CVE-2019-12471, CVE-2019-12472, CVE-2019-12473, CVE-2019-12474. The bundled jQuery was also updated, fixing CVE-2019-11358. mediawiki (1:1.27.6-1~deb9u1) stretch-security; urgency=medium . * New upstream version 1.27.6 (security release), fixing CVE-2019-12466, CVE-2019-12467, CVE-2019-12468, CVE-2019-12469, CVE-2019-12470, CVE-2019-12471, CVE-2019-12472, CVE-2019-12473, CVE-2019-12474. The bundled jQuery was also updated, fixing CVE-2019-11358. minissdpd (1.2.20130907-4.1+deb9u1) stretch; urgency=medium . * CVE-2019-12106: Prevent a use-after-free vulnerability that would allow a remote attacker to crash the process. (Closes: #929297) miniupnpd (1.8.20140523-4.1+deb9u2) stretch; urgency=medium . * Applied upstream patches for CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110. This version looks like not affected by CVE-2019-12111. (Closes: #930050). mitmproxy (0.18.2-6+deb9u2) stretch; urgency=medium . * Prevent insertion of unwanted upper-bound versioned dependencies mitmproxy (0.18.2-6+deb9u1) stretch; urgency=medium . * Blacklist tests that require internet access (Closes: #934033) * Add d/gbp.conf monkeysphere (0.41-1+deb9u1) stretch; urgency=medium . * Prevent a FTBFS by updating the tests to accommodate an updated GnuPG in stretch now producing a different output. (Closes: #934034) nasm-mozilla (2.14-1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport to stretch as nasm-mozilla, required by Firefox ESR 68. * Lower debhelper compat to 10. ncbi-tools6 (6.1.20170106+dfsg1-0+deb9u1) stretch; urgency=medium . * Belatedly repackage without data/UniVec.*, some portions of which turned out to be non-free (with copyright held by Invitrogen Corporation, which requires a license for commercial use thereof). * debian/copyright: - Cover previously overlooked third-party code (all DFSG-free). - Update authors and dates for debian/*. - Set Files-Excluded to reflect repackaging. * debian/rules: Introduce NCBI_VERSION_SHLIB, with +dfsg1 stripped off. * debian/watch: Reflect usage of +dfsg1. * make/makeshlb.unx: NCBI_VERSION -> NCBI_VERSION_SHLIB. * Temporarily revert ncbi-cn3d splitout to expedite the above fixes. ncbi-tools6 (6.1.20170106-6) unstable; urgency=medium . * debian/rules: Find indirectly needed libraries via -rpath-link rather than LD_LIBRARY_PATH; the -rpath-link approach is generally saner, and in particular has a decent shot at fully fixing cross-building. ncbi-tools6 (6.1.20170106-5) unstable; urgency=medium . [ Andreas Tille ] * Improve cross building: Don't force the build architecture compiler (Thanks for the patch to Helmut Grohne) Closes: #908353 * cme fix dpkg-control . [ Aaron M. Ucko ] * debian/control: libvibrant6b Recommends: sensible-utils (no longer guaranteed present, per #871260). * Standards-Version: 4.3.0 (already compliant). ncbi-tools6 (6.1.20170106-4) unstable; urgency=medium . * debian/compat: Advance to Debhelper 11. * debian/control: - Mark *-data reshuffling with Breaks, not just Replaces. (Closes: #902364.) - Build-Depends: Advance to debhelper (>= 11~). * debian/copyright: Fix years (packaging through 2018, upstream through 2017). ncbi-tools6 (6.1.20170106-3) unstable; urgency=medium . [ Liubov Chuprikova ] * Added autopkgtest for ncbi-tools-bin. Closes: #879619 . [ Aaron M. Ucko ] * debian/{*.gif,ncbi2.css}: Add local copies of NCBI resources used by HTML docs. * debian/control: - Repoint Vcs-* at salsa.debian.org. - Standards-Version: 4.1.4 (already compliant). - Rules-Requires-Root: no (confirmed safe). * debian/{libncbi6,ncbi-tools-x11}.docs: Install resources from debian/ as needed. * debian/source/format: Set to 3.0 (quilt) to accommodate binary test data. * debian/source/include-binaries: List debian/tests/test-data/nc0305.aso.gz and (individually) debian/*.gif. * debian/source/options: single-debian-patch (tracking changes purely with git for now). * debian/source/patch-header: "Combined patches from git." * demo/{findspl,taxblast_main}.c: Call SOCK_SetupSSL (accidentally missed earlier). * doc/{dispatcher,firewall}.html: Patch to use (newly supplied) local resources, addressing a generic privacy breach caught by Lintian. * make/make{demo,net}.unx: Link findspl and taxblast against $(LIBTLS) and $(GNUTLS_LIBS). neovim (0.1.7-4+deb9u1) stretch-security; urgency=high . * Backport upstream patches to address CVE-2019-12735 (Closes: #930024) + vim-patch-8.0.0649 and vim-patch-8.0.0650: autocmd open help 2 times + vim-patch:8.1.0066: nasty autocommand causes using freed memory + vim-patch:8.1.0067: syntax highlighting not working when re-entering a buffer + vim-patch:8.1.0177: defining function in sandbox is inconsistent + vim-patch:8.1.0189: function defined in sandbox not tested + vim-patch:8.1.0205: invalid memory access with invalid modeline + vim-patch:8.1.0506: modeline test fails when run by root + vim-patch:8.1.0538: evaluating a modeline might invoke using a shell command + vim-patch:8.1.0539: cannot build without the sandbox + vim-patch:8.1.0540: may evaluate insecure value when appending to option + vim-patch:8.1.0544: setting 'filetype' in a modeline causes an error + vim-patch:8.1.0546: modeline test with keymap fails + vim-patch:8.1.0547: modeline test with keymap still fails + vim-patch:8.1.0613: when executing an insecure function the secure flag is stuck + vim-patch:8.1.1046: the "secure" variable is used inconsistently + vim-patch:8.1.1365: :source should check sandbox + vim-patch:8.1.1366: using expressions in a modeline is unsafe + vim-patch:8.1.1367: can set 'modelineexpr' in modeline + vim-patch:8.1.1368: modeline test fails with python but without pythonhome + vim-patch:8.1.1382: error when editing test file + vim-patch:8.1.1401: misspelled mkspellmem as makespellmem nginx (1.10.3-1+deb9u3) stretch-security; urgency=high . * Backport upstream fixes for 3 CVEs (Closes: #935037) Those fixes affect Nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage. (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). node-growl (1.7.0-1+deb9u1) stretch; urgency=medium . * Team upload * Sanitize input before passing it to exec. This embeds shell-escape little module (Closes: #900868, CVE-2017-16042) node-ws (1.1.0+ds1.e6ddaae4-3+deb9u1) stretch; urgency=medium . * Team upload * Add patch to fix upload size to a sane value (Closes: #927671, CVE-2016-10542) open-vm-tools (2:10.1.5-5055683-4+deb9u2) stable; urgency=medium . * [34db05f] /tmp/VMwareDnD permissions security fix. Fix possible security issue with the permissions of the intermediate staging directory and path /tmp/VMwareDnD is a staging directory used for DnD and CnP. It should be a regular directory, but malicious code or user may create the /tmp/VMwareDnD as a symbolic link which points elsewhere on the system. This may provide user access to user B's files. Do not set the permission of the root directory if the root directory already exists and has the wrong permission. The permission of the directory must be 1777 if it is created by the VMToolsi. If not, then the directory has been created or modified by malicious code or user, so just cancel the host to guest DnD or CnP operation. (Closes: #925959) openjdk-8 (8u222-b10-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch openjdk-8 (8u222-b07-3) unstable; urgency=medium . * Upload to unstable. openjdk-8 (8u222-b07-2) experimental; urgency=medium . * Remove AArch32 patches, applied upstream. * Fix build dependencies for Ubuntu precise builds. openjdk-8 (8u222-b07-1) experimental; urgency=medium . * Update to 8u222-b07. openjdk-8 (8u222-b05-1) experimental; urgency=medium . [ Matthias Klose ] * Update to 8u222-b05 (except for AArch32). * Apply suggested hotspot fixes for AArch32. * Re-enable running the testsuite. . [ Tiago Stürmer Daitx ] * Find any hs_err_pid files generated during the build and send to stdout. openjdk-8 (8u222-b04-3) experimental; urgency=medium . * Update ARM32 to jdk8u222-b04-aarch32-190603. * Regenerate the ppc64el patch. * Remove unused patches ppc64le-8036767 and zero-opt. openjdk-8 (8u222-b04-1) experimental; urgency=medium . * Update to 8u222-b04. * Update ARM32 to jdk8u212-b04-aarch32-190430. * Fix 32bit zero builds. openjdk-8 (8u212-b03-2) unstable; urgency=medium . * Don't apply the 8221355 fix for ARM builds. * Don't configure --with-vendor-name on stable releases. * Fix the jpeg runtime dependency for the build in unstable. openjdk-8 (8u212-b03-2~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch-security openjdk-8 (8u212-b03-1) unstable; urgency=medium . [ Matthias Klose ] * Configure --with-vendor-name. * 8221355: Fix performance regression after JDK-8155635 backport into 8u. . [ Tiago Stürmer Daitx ] * Update to 8u212-b03. LP: #1826001. * Security fixes: - S8211936, CVE-2019-2602: Better String parsing. - S8218453, CVE-2019-2684: More dynamic RMI interactions. - S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID(). * Revert to GTK2 as default since GTK3 still has padding and component issues: - debian/rules: always Build-Depends on libgtk2.0-dev and Depends on libgtk2.0-0 instead of relying on gtk3 for some releases. * debian/control: add missing dependency on testng (required by the testsuites). . [ Andrej Shadura ] * debian/rules: check for nodoc instead of nodocs in DEB_BUILD_OPTIONS. Closes: 922757. . [ Matthias Klose ] * debian/rules, debian/tests/jtdiff-autopkgtest.sh, debian/tests/jtreg-autopkgtest.in, debian/tests/jtreg-autopkgtest.sh: only set the JDK under test and allow jtreg to use its default JDK for running the tests. . [ Thorsten Glaser ] * Improve compatibility with older releases. Closes: #925407. - debian/rules: determine source date using backwards-compatible dpkg-parsechangelog call. - debian/control.in: put @bd_cross@ onto same line as @bd_nss@ as it can be empty. openjdk-8 (8u212-b01-1) unstable; urgency=medium . * Update to 8u212-b01. * Enable SA on AArch64. openldap (2.4.44+dfsg-5+deb9u3) stretch; urgency=medium . * Fix slapd to restrict rootDN proxyauthz to its own databases (CVE-2019-13057) (ITS#9038) (Closes: #932997) * Fix slapd to enforce sasl_ssf ACL statement on every connection (CVE-2019-13565) (ITS#9052) (Closes: #932998) * Fix slapo-rwm to not free original filter when rewritten filter is invalid (ITS#8964) (Closes: #934277, LP: #1838370) openssh (1:7.4p1-10+deb9u7) stretch; urgency=medium . * Fix deadlock when the keys/principals command produces a lot of output and a key is matched early (upstream commit ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2). (Closes: #905226) openssl (1.1.0k-1~deb9u1) stretch-security; urgency=medium . * Import 1.1.0k - CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305) openssl1.0 (1.0.2s-1~deb9u1) stretch-security; urgency=medium . * New upstream version passwordsafe (1.00+dfsg-1+deb9u1) stretch; urgency=medium . * Don't install localization files under an extra subdirectory. Closes: 932626 patch (2.7.5-1+deb9u2) stretch-security; urgency=high . * Fix CVE-2019-13636: mishandled following of symlinks (closes: #932401). * Fix CVE-2019-13638: shell command injection. * Fix CVE-2018-1000156 regression, temporary file leak on failed ed-style patches (closes: #933140). pdns (4.0.3-1+deb9u5) stretch-security; urgency=medium . * Fix CVE-2019-10162 and CVE-2019-10163 both in MASTER operation. Patches supplied by upstream and backported by Debian. php-horde-form (2.0.15-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent directory traversal vulnerability (CVE-2019-9858) (Closes: #930321) postgresql-9.6 (9.6.15-0+deb9u1) stretch-security; urgency=medium . * New upstream security release. + Fixes regression in ALTER TABLE on multiple columns. (Closes: #932247) . + Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch) . We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208) . * On purge, ask the user if they want to remove clusters. (Closes: #911940, #933368) postgresql-9.6 (9.6.13-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed) . Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130) . * Move maintainer address to tracker. pound (2.7-1.3+deb9u1) stretch; urgency=medium . * Fix request smuggling via crafted headers, CVE-2016-10711 (Closes: #888786). proftpd-dfsg (1.3.5b-4+deb9u1) stretch-security; urgency=high . * proftpd-1.3.5e-CVE-2019-12815.patch by Paul Howarth to solve CVE-2019-12815 (Closes: #932453). python-clamav (0.4.1-8+deb9u1) stretch; urgency=medium . [ Scott Kitterman ] * Add d/p/python-clamav-add-support-for-clamav-0.101.0.patch to that python-clamav builds/works with clamav 101.1 and newer (Closes: #920959) * Bump libclamav-dev build-depends to match python-django (1:1.10.7-2+deb9u6) stretch-security; urgency=high . * Backport four security patches from upstream. (Closes: #934026) . - CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator . If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. . The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. . - CVE-2019-14233: Denial-of-service possibility in strip_tags() . Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. . strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. . Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). . - CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField . Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter(). . - CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri() . If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. . uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high . * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format. (Closes: #922027) * CVE-2019-12308: Prevent a XSS vulnerability in the Django admin via the AdminURLFieldWidget. (Closes: #929927) * CVE-2019-12781: Prevent incorrect HTTPS detection with reverse-proxies connecting via HTTPS. (Closes: #931316) qemu (1:2.8+dfsg-6+deb9u8) stretch-security; urgency=medium . [ Michal Arbet ] * Fix improper backport of CVE-2017-9524 fix that caused NBD connections to hang (Closes: #873012). Thanks to Geoffrey Thomas. - nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch: Don't move nbd_set_handlers before nbd_negotiate. - nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch: Refresh. . [ Michael Tokarev ] * slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input-CVE-2019-14378.patch bugfix in user-level networking Closes: #933741, CVE-2019-14378 * qemu-bridge-helper-restrict-interface-name-to-IFNAMSIZ-CVE-2019-13164.patch Closes: #931351, CVE-2019-13164 * integrate fix-md-clear-backport.patch into enable-md-clear.patch Thanks Moritz Mühlenhoff and Vincent Tondellier * device_tree-dont-use-load_image-CVE-2018-20815.patch fix unlikely overflow via saved image file size Closes: CVE-2018-20815 qemu (1:2.8+dfsg-6+deb9u7) stretch-security; urgency=medium . * Fix the md_clear backport, thanks to Vincent Tondellier (Closes: #929067) qemu (1:2.8+dfsg-6+deb9u6) stretch-security; urgency=medium . [ Moritz Mühlenhoff ] * slirp-correct-size-computation-concatenating-mbuf-CVE-2018-11806.patch (Closes: #901017, CVE-2018-11806) * qga-check-bytes-count-read-by-guest-file-read-CVE-2018-12617.patch (Closes: #902725, CVE-2018-12617) * usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch (Closes: #916397, CVE-2018-16872) * rtl8139-fix-possible-out-of-bound-access-CVE-2018-17958.patch (Closes: #911499, CVE-2018-17958) * lsi53c895a-check-message-length-value-is-valid-CVE-2018-18849.patch (Closes: #912535, CVE-2018-18849) * ppc-pnv-check-size-before-data-buffer-access-CVE-2018-18954.patch (Closes: #914604, CVE-2018-18954) * 9p-write-lock-path-in-v9fs-co_open2.patch 9p-take-write-lock-on-fid-path-updates-CVE-2018-19364.patch (Closes: #914599, CVE-2018-19364) * 9p-fix-QEMU-crash-when-renaming-files-CVE-2018-19489.patch (Closes: #914727, CVE-2018-19489) * i2c-ddc-fix-oob-read-CVE-2019-3812.patch (Closes: #922635, CVE-2019-3812) * slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch (Closes: #921525, CVE-2019-6778) * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch (Closes: CVE-2019-9824) . [ Michael Tokarev ] * enable-md-clear.patch define new CPUID for MDS (Closes: #929067) (Closes: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) * qxl-check-release-info-object-CVE-2019-12155.patch fixes null-pointer deref in qxl cleanup code (Closes: #929353, CVE-2019-12155) rdesktop (1.8.6-2~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security * Relax debhelper build dependency * Relax Standards-Version to 3.9.8 . rdesktop (1.8.6-2) unstable; urgency=medium . * Backport fixed version number and typo. * Backport sec_decrypt() the correct amount of data (closes: #930511). . rdesktop (1.8.6-1) unstable; urgency=high . * New upstream release, including many security fixes. rdesktop (1.8.6-1) unstable; urgency=high . * New upstream release, including many security fixes. rdesktop (1.8.4-1) unstable; urgency=high . * New upstream release, including many security fixes: - fix possible integer overflow in s_check_rem() on 32bit arch, - CVE-2018-8791: fix minor information leak in rdpdr_process(), - CVE-2018-8792: fix denial of service in cssp_read_tsrequest(), - CVE-2018-8793: fix remote code execution in cssp_read_tsrequest(), - CVE-2018-8794: fix memory corruption in process_bitmap_data(), - CVE-2018-8795: fix remote code execution in process_bitmap_data(), - CVE-2018-8796: fix denial of service in process_bitmap_data(), - CVE-2018-8797: fix remote code execution in process_plane(), - CVE-2018-8798: fix minor information leak in rdpsnd_process_ping(), - CVE-2018-8799: fix denial of service in process_secondary_order(), - CVE-2018-8800: fix remote code execution in ui_clip_handle_data(), - CVE-2018-20174: fix major information leak in ui_clip_handle_data(), - CVE-2018-20175: fix denial of service in mcs_recv_connect_response() and in mcs_parse_domain_params(), - CVE-2018-20176: fix denial of service in sec_parse_crypt_info() and in sec_recv(), - CVE-2018-20177: fix memory corruption in rdp_in_unistr(), - CVE-2018-20178: fix denial of service in process_demand_active(), - CVE-2018-20179: fix remote code execution in lspci_process(), - CVE-2018-20180: fix remote code execution in rdpsnddbg_process(), - CVE-2018-20181: fix remote code execution in seamless_process(), - CVE-2018-20182: fix remote code execution in seamless_process_line(). * Update debhelper level to 11 . * Update Standards-Version to 4.3.0 . redis (3:3.2.6-3+deb9u3) stretch-security; urgency=high . * CVE-2019-10192: Fix two heap buffer overflows in the Hyperloglog functionality. (Closes: #931625) reportbug (7.1.7+deb9u3) stretch; urgency=medium . * Non-maintainer upload. * Exclude *.pyc from source package. * reportbug/utils.py - update release names, following Buster releases, patch by Nicolas Braud-Santoni; Closes: #932524, #931609 resiprocate (1:1.11.0~beta1-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * libresiprocate-1.11-dev: Add Breaks: libssl-dev (>= 1.1) to help apt finding a valid installation set with --install-recommends enabled. ruby-mini-magick (4.5.1-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Don't allow remote shell execution (CVE-2019-13574) (Closes: #931932) samba (2:4.5.16+dfsg-1+deb9u2) stretch-security; urgency=high . * This is a security release in order to address the following defect: - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * CVE-2018-3977, CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c) (Closes: #932755). * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). * CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). signing-party (2.5-1+deb9u1) stretch; urgency=medium . * Backport security fix for CVE-2019-11627: unsafe shell call enabling shell injection via a User ID. Use Perl's (core) module Encode.pm instead of shelling out to `iconv`. (Closes: #928256.) slurm-llnl (16.05.9-1+deb9u4) stretch; urgency=medium . * Fix build regression on 32-bits architecture (Closes: #929600) slurm-llnl (16.05.9-1+deb9u3) stretch; urgency=medium . * Fix CVE-2019-6438 by adding mitigation for a potential heap-overflow on 32-bit systems (Closes: #920997) sox (14.4.1-5+deb9u2) stretch; urgency=medium . * Sync up patches with 14.4.1-5+deb8u4 (sans some uncommented patches) CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 (Closes: #927906) CVE-2019-1010004 CVE-2017-18189 (Closes: #881121) CVE-2017-15642 (Closes: #882144) CVE-2017-15372 (Closes: #878808) CVE-2017-15371 (Closes: #878809) CVE-2017-15370 (Closes: #878810) CVE-2017-11359 CVE-2017-11358 CVE-2017-11332 (Closes: #870328) subversion (1.9.5-1+deb9u4) stretch-security; urgency=high . * Backport security fixes from upstream: + CVE-2018-11782: Remotely triggerable DoS vulnerability in svnserve 'get-deleted-rev'. + CVE-2018-0203: Remote unauthenticated denial-of-service in Subversion svnserve. symfony (2.8.7+dfsg-1.3+deb9u2) stretch-security; urgency=medium . * Cherry-pick upstream commits to fix security issues - [HttpFoundation] Remove support for legacy and risky HTTP headers [CVE-2018-14773] - [Form] Filter file uploads out of regular form types [CVE-2018-19789] - [Security\Http] detect bad redirect targets using backslashes [CVE-2018-19790] - [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine [CVE-2019-10909] - [DI] Check service IDs are valid [CVE-2019-10910] - [Security] Add a separator in the remember me cookie hash [CVE-2019-10911] - [PHPUnit Bridge] Prevent destructors with side-effects from being unserialized [CVE-2019-10912] - [HttpFoundation] fixed using _method parameter with invalid type - [HttpFoundation] reject invalid method override [CVE-2019-10913] systemd (232-25+deb9u12) stretch; urgency=medium . * networkd: Do not stop ndisc client in case of conf error. When an NDisc error happens, e.g. in case of a prefix change, do not shut down the dhcp client. Instead log about it and continue. Otherwise networkd might fail to renew the DHCPv4 address and lose IPv4 connectivity. (Closes: #930353) t-digest (1:3.0-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * No-change rebuild to avoid reuse of pre-epoch version 3.0-1 (Closes: #929618) tenshi (0.13-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . tenshi (0.13-2.1) unstable; urgency=medium . * Non-maintainer upload. * Upload to unstable. * Drop DMUA. . tenshi (0.13-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * Fix CVE-2017-11746: PID file issue allows local users to kill arbitrary processes (Closes: #871321) thunderbird (1:60.8.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.7.2-1) unstable; urgency=medium . * [d6c79ed] New upstream version 60.7.2 Fixed CVE issues in upstream version 60.7.2 (MFSA 2019-20 CVE-2019-11707: Type confusion in Array.pop CVE-2019-11708: sandbox escape using Prompt:Open thunderbird (1:60.7.2-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.7.1-1) unstable; urgency=high . * [f791dee] New upstream version 60.7.1 Fixed CVE issues in upstream version 60.7.1 (MFSA 2019-17) CVE-2019-11703: Heap buffer overflow in icalparser.c CVE-2019-11704: Heap buffer overflow in icalvalue.c CVE-2019-11705: Stack buffer overflow in icalrecur.c CVE-2019-11706: Type confusion in icalproperty.c thunderbird (1:60.7.1-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.7.0-1) unstable; urgency=medium . * [f6dd130] New upstream version 60.7.0 Fixed CVE issues in upstream version 60.7.0 (MFSA 2019-15) CVE-2019-9816: Type confusion with object groups and UnboxedObjects CVE-2019-9817: Stealing of cross-domain images using canvas CVE-2019-9819: Compartment mismatch with fetch API CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell CVE-2019-11691: Use-after-free in XMLHttpRequest CVE-2019-11692: Use-after-free removing listeners in the event listener manager CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux CVE-2019-7317: Use-after-free in png_image_free of libpng library CVE-2019-9797: Cross-origin theft of images with createImageBitmap CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks CVE-2019-5798: Out-of-bounds read in Skia CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and Thunderbird 60.7 * [4106d54] rebuild patch queue from patch-queue branch added patch: fixes/rust-ignore-not-available-documentation.patch thunderbird (1:60.7.0-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.6.1-1) unstable; urgency=medium . [ intrigeri ] * [2013645] d/rules: drop useless usage of dpkg-parsechangelog . [ Carsten Schoenert ] * [daf1252] New upstream version 60.6.1 Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11) CVE-2019-9790: Use-after-free when removing in-use DOM elements CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled CVE-2019-9794: Command line arguments not discarded during execution CVE-2019-9795: Type-confusion in IonMonkey JIT compiler CVE-2019-9796: Use-after-free with SMIL animation controller CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6 Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12) CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations * [f88a505] rebuild patch queue from patch-queue branch added patch: fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch tzdata (2019b-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Brazil has canceled DST and will stay on standard time indefinitely. - Predictions for Morocco now go through 2087 instead of 2037. - Palestine's 2019 spring transition was 03-29 at 00:00, not 03-30 at 01:00. Guess future transitions to be March's last Friday at 00:00. - Many corrections to historical Hong Kong transitions from 1941 to 1947. tzdata (2019a-1) unstable; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Palestine will not start DST until 2019-03-30, instead of 2019-03-23 as previously predicted. - Metlakatla ended its observance of Pacific standard time, rejoining Alaska Time, on 2019-01-20 at 02:00. unzip (6.0-21+deb9u2) stretch; urgency=medium . * Fix incorrect parsing of 64-bit values in fileio.c. Closes: #929502. * Apply three patches by Mark Adler to fix CVE-2019-13232. - Fix bug in undefer_input() that misplaced the input state. - Detect and reject a zip bomb using overlapped entries. Bug discovered by David Fifield. Closes: #931433. - Do not raise a zip bomb alert for a misplaced central directory. Reported by Peter Green. Closes: #932404. usbutils (1:007-4+deb9u1) stretch; urgency=medium . * Update usb.ids. Closes: #927365. vim (2:8.0.0197-4+deb9u3) stretch-security; urgency=medium . * Backport patch 8.1.0067 to fix loss of syntax highlighting (Closes: #930718) + 8.1.0067: syntax highlighting not working when re-entering a buffer vim (2:8.0.0197-4+deb9u2) stretch-security; urgency=high . * Backport patches to address CVE-2019-12735 (Closes: #930020) + 8.0.0649: when opening a help file the filetype is set several times + 8.0.0651: build failure without the auto command feature + 8.1.0066: nasty autocommand causes using freed memory + 8.1.0177: defining function in sandbox is inconsistent + 8.1.0189: function defined in sandbox not tested + 8.1.0205: invalid memory access with invalid modeline + 8.1.0206: duplicate test function name + 8.1.0208: file left behind after running individual test + 8.1.0506: modelinen test fails when run by root + 8.1.0538: evaluating a modeline might invoke using a shell command + 8.1.0539: cannot build without the sandbox + 8.1.0540: may evaluate insecure value when appending to option + 8.1.0544: setting 'filetype' in a modeline causes an error + 8.1.0546: modeline test with keymap fails + 8.1.0547: modeline test with keymap still fails + 8.1.0613: when executing an insecure function the secure flag is stuck + 8.1.1046: the "secure" variable is used inconsistently + 8.1.1365: source command doesn't check for the sandbox + 8.1.1366: using expressions in a modeline is unsafe + 8.1.1367: can set 'modelineexpr' in modeline + 8.1.1368: modeline test fails with python but without pythonhome + 8.1.1382: error when editing test files + 8.1.1401: misspelled mkspellmem and makespellmem * gbp.conf: Set debian-branch to debian/stretch * gbp.conf: Set upstream-tag to v%(version)s vlc (3.0.8-0+deb9u1) stretch-security; urgency=high . * New upstream release. - Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) - Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) - Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) - Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) - Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) - Fix a use after free in the ASF demuxer (CVE-2019-14533) - Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) (Closes: #932131) - Fix a null dereference in the ASF demuxer (CVE-2019-14534) - Fix a division by zero in the CAF demuxer (CVE-2019-14498) - Fix a division by zero in the ASF demuxer (CVE-2019-14535) - Fix a division by zero when playing DVDs. (Closes: #929491, #923017, #932182) * debian/patches: - Revert modplug version bump. We use the libopenmpt compat layer anyway. - Revert libebml version bump. libebml has been fixed separately. vlc (3.0.7.1-3) unstable; urgency=medium . * debian/patches: Apply upstream patch to fix SIGFPE when playing DVDs. (Closes: #929491, #923017, #932182) vlc (3.0.7.1-2) unstable; urgency=medium . * debian/: Remove obsolete maintscripts. * debian/control: - Remove obsolete transitional package. - Remove obsolete Breaks+Replaces. - Bump Standards-Version. * debian/patches: Apply upstream patches to - unbreak rendering in subsvtt. - fix integer underflows in mp4. (CVE-2019-13602) (Closes: #932131) vlc (3.0.7.1-1) unstable; urgency=medium . * New upstream release. vlc (3.0.7-1) unstable; urgency=high . * New upstream release. - Fix multiple integer overflows. - Fix multiple buffer overflows. - Fix use-after-free issue. - Fix NULL pointer dereference. - Fix other memory access bugs and infinite loops. * debian/rules: Be explicit about --enable-debug/disable-debug. vlc (3.0.7-0+deb9u1) stretch-security; urgency=medium . * New upstream bug fix release. (Closes: #930276) - Fix multiple integer overflows. - Fix multiple buffer overflows. - Fix use-after-free issue. - Fix NULL pointer dereference. - Fix other memory access bugs and infinite loops. * debian/patches: Removed, included upstream. vlc (3.0.6-1) unstable; urgency=medium . * New upstream release. wpa (2:2.4-1+deb9u4) stretch-security; urgency=high . * SECURITY UPDATE (2019-5): - CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment (Closes: #927463). xymon (4.3.28-2+deb9u1) stretch; urgency=high . * Apply minimal upstream security patch to fix several (server-only) vulnerabilities reported upstream by Graham Rymer: + CVE-2019-13451: service overflows histlogfn in history.c. + CVE-2019-13452: service overflows histlogfn in reportlog.c. + CVE-2019-13273: srdb overflows dbfn in csvinfo.c. + CVE-2019-13274: reflected XSS in csvinfo.c. + CVE-2019-13455: htmlquoted(hostname) overflows msgline in acknowledge.c. + CVE-2019-13484: htmlquoted(xymondreq) overflows errtxt appfeed.c. + CVE-2019-13485: hostname overflows selfurl in history.c. + CVE-2019-13486: htmlquoted(xymondreq) overflows errtxt in svcstatus.c. + Closes: #935470 * Include hostname validation regression fixes from 4.3.30, too. yubico-piv-tool (1.4.2-2+deb9u2) stretch; urgency=high . * Remove cruft that was included in the source package by mistake. yubico-piv-tool (1.4.2-2+deb9u1) stretch-proposed-updates; urgency=high . * Team upload. * Backport the fix for CVE-2018-14779 & CVE-2018-14780 Closes: #906128 z3 (4.4.1-1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . z3 (4.4.1-1~deb10u1) buster; urgency=medium . * Non-maintainer upload. * Rebuild for buster. . z3 (4.4.1-1) unstable; urgency=medium . [ Gianfranco Costamagna ] * Team Upload * Upload to unstable . [ Andreas Beckmann ] * Do not set the SONAME of libz3java.so to libz3.so.4. (Closes: #842892) . z3 (4.4.1-0.5~exp1) experimental; urgency=medium . * Package moved to salsa (Closes: #926939) * Standards-Version updated to 4.2.1 * Fix priority-extra-is-replaced-by-priority-optional warning * Moved under the llvm umbrella z3 (4.4.1-0.5~exp1) experimental; urgency=medium . * Package moved to salsa (Closes: #926939) * Standards-Version updated to 4.2.1 * Fix priority-extra-is-replaced-by-priority-optional warning * Moved under the llvm umbrella z3 (4.4.1-0.4) unstable; urgency=medium . * Non-maintainer upload. * Remove the incorrect Multi-Arch: same of python-z3, thanks to Helmut Grohne. (Closes: #874237) zeromq3 (4.2.1-4+deb9u2) stretch-security; urgency=high . [ Luca Boccassi ] * Fix CVE-2019-13132: application metadata not parsed correctly when using CURVE. zfs-auto-snapshot (1.2.1-1+deb9u1) stretch; urgency=medium . * Backported from 1.2.4: - Make cronjobs exit silently after package removal. (Closes: #850776) znc (1.6.5-1+deb9u2) stretch-security; urgency=high . * Add upstream patch 03-CVE-2019-12816 to fix a remote code execution by elevating privileges as described in CVE-2019-12816. * Add patch 04-CVE-2019-9917 to fix CVE-2019-9917: Denial of Service (crash) via invalid encoding. Much thanks to Santiago Ruano Rincón for this patch! Closes: #925285 zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high . * CVE-2019-0201: Prevent an information disclosure vulnerability where users who were not authorised to read data were able to view the access control list. (Closes: #929283) ====================================== Sat, 27 Apr 2019 - Debian 9.9 released ====================================== ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:24:04 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-gnome-keyring | 0.12-1 | source xul-ext-gnome-keyring | 0.12-1 | all Closed bugs: 922791 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:24:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: gcontactsync | 2.0.5-1 | source xul-ext-gcontactsync | 2.0.5-1 | all Closed bugs: 922792 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:24:44 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: google-tasks-sync | 0.5.3-1 | source xul-ext-google-tasks-sync | 0.5.3-1 | all Closed bugs: 922793 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:25:23 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: timeline | 0.5-4 | source xul-ext-timeline | 0.5-4 | all Closed bugs: 925504 ------------------- Reason ------------------- RoQA; incompatible with newer thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:25:43 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: tbdialout | 1.7.2-1+deb9u1 | source xul-ext-tbdialout | 1.7.2-1+deb9u1 | all Closed bugs: 926048 ------------------- Reason ------------------- RoQA; incompatible with newer thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:32:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: gcu-plugin | 0.14.15-1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by gnome-chemistry-utils) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:33:24 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-8-plugin | 1.6.2-3.1 | amd64, arm64, armel, armhf, i386, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by icedtea-web) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:33:48 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: default-java-plugin | 2:1.8-58 | amd64, arm64, armel, armhf, i386, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by java-common) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:35:29 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: btrfs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel cdrom-core-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel crypto-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel event-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ext4-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel fat-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel fb-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel fuse-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel input-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ipv6-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel isofs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel jffs2-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel jfs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel kernel-image-4.9.0-8-marvell-di | 4.9.144-3.1 | armel leds-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel linux-headers-4.9.0-8-all-armel | 4.9.144-3.1 | armel linux-headers-4.9.0-8-marvell | 4.9.144-3.1 | armel linux-image-4.9.0-8-marvell | 4.9.144-3.1 | armel linux-image-4.9.0-8-marvell-dbg | 4.9.144-3.1 | armel loop-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel md-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel minix-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel mmc-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel mouse-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel mtd-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel multipath-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nbd-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nic-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nic-shared-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel nic-usb-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ppp-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel sata-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel scsi-core-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel squashfs-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel udf-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel usb-serial-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel usb-storage-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel zlib-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:36:49 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ata-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf btrfs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf crc-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf crypto-dm-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf crypto-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf efi-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf event-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf ext4-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf fat-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf fb-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf fuse-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf i2c-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf input-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf isofs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf jfs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf kernel-image-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf leds-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf linux-headers-4.9.0-8-all-armhf | 4.9.144-3.1 | armhf linux-headers-4.9.0-8-armmp | 4.9.144-3.1 | armhf linux-headers-4.9.0-8-armmp-lpae | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp-dbg | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp-lpae | 4.9.144-3.1 | armhf linux-image-4.9.0-8-armmp-lpae-dbg | 4.9.144-3.1 | armhf loop-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf md-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf mmc-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf mtd-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf multipath-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nbd-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-shared-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-usb-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf nic-wireless-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf pata-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf ppp-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf sata-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf scsi-core-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf scsi-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf squashfs-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf udf-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf uinput-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf usb-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf usb-storage-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf virtio-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf zlib-modules-4.9.0-8-armmp-di | 4.9.144-3.1 | armhf ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:37:31 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: acpi-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 acpi-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ata-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ata-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 btrfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 btrfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 cdrom-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 cdrom-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 crc-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 crc-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 crypto-dm-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 crypto-dm-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 crypto-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 crypto-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 efi-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 efi-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 event-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 event-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ext4-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ext4-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 fat-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 fat-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 fb-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 fb-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 firewire-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 firewire-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 fuse-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 fuse-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 hyperv-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 hyperv-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 i2c-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 i2c-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 input-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 input-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 isofs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 isofs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 jfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 jfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 kernel-image-4.9.0-8-686-di | 4.9.144-3.1 | i386 kernel-image-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-686 | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-686-pae | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-all-i386 | 4.9.144-3.1 | i386 linux-headers-4.9.0-8-rt-686-pae | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686 | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686-dbg | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686-pae | 4.9.144-3.1 | i386 linux-image-4.9.0-8-686-pae-dbg | 4.9.144-3.1 | i386 linux-image-4.9.0-8-rt-686-pae | 4.9.144-3.1 | i386 linux-image-4.9.0-8-rt-686-pae-dbg | 4.9.144-3.1 | i386 loop-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 loop-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 md-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 md-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 mmc-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 mmc-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 mmc-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 mmc-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 mouse-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 mouse-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 multipath-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 multipath-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nbd-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nbd-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-pcmcia-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-pcmcia-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-shared-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-shared-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-usb-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-usb-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 nic-wireless-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 nic-wireless-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ntfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ntfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 pata-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 pata-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 pcmcia-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 pcmcia-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 pcmcia-storage-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 pcmcia-storage-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ppp-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 ppp-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 sata-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 sata-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 scsi-core-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 scsi-core-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 scsi-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 scsi-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 serial-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 serial-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 sound-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 sound-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 speakup-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 speakup-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 squashfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 squashfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 udf-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 udf-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 uinput-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 uinput-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 usb-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 usb-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 usb-serial-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 usb-serial-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 usb-storage-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 usb-storage-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 virtio-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 virtio-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 xfs-modules-4.9.0-8-686-di | 4.9.144-3.1 | i386 xfs-modules-4.9.0-8-686-pae-di | 4.9.144-3.1 | i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:37:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-all-mips | 4.9.144-3.1 | mips ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:38:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel btrfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel cdrom-core-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel crc-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel crypto-dm-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel crypto-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel event-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ext4-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel fat-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel fuse-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel hfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel input-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel isofs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel jfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel kernel-image-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel linux-headers-4.9.0-8-5kc-malta | 4.9.144-3.1 | mips, mips64el, mipsel linux-headers-4.9.0-8-octeon | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-5kc-malta | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-5kc-malta-dbg | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-octeon | 4.9.144-3.1 | mips, mips64el, mipsel linux-image-4.9.0-8-octeon-dbg | 4.9.144-3.1 | mips, mips64el, mipsel loop-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel md-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel minix-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel multipath-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nbd-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-shared-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-usb-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel nic-wireless-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ntfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel pata-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ppp-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel rtc-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel sata-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel scsi-core-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel scsi-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel sound-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel squashfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel udf-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel usb-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel usb-serial-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel usb-storage-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel virtio-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel xfs-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel zlib-modules-4.9.0-8-octeon-di | 4.9.144-3.1 | mips, mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:39:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: acpi-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ata-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 btrfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 cdrom-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 crc-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 crypto-dm-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 crypto-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 efi-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 event-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ext4-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 fat-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 fb-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 firewire-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 fuse-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 hyperv-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 i2c-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 input-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 isofs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 jfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 kernel-image-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 linux-headers-4.9.0-8-all-amd64 | 4.9.144-3.1 | amd64 linux-headers-4.9.0-8-amd64 | 4.9.144-3.1 | amd64 linux-headers-4.9.0-8-rt-amd64 | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-amd64 | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-amd64-dbg | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-rt-amd64 | 4.9.144-3.1 | amd64 linux-image-4.9.0-8-rt-amd64-dbg | 4.9.144-3.1 | amd64 loop-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 md-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 mmc-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 mmc-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 mouse-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 multipath-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nbd-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-pcmcia-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-shared-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-usb-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 nic-wireless-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ntfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 pata-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 pcmcia-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 pcmcia-storage-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ppp-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 sata-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 scsi-core-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 scsi-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 serial-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 sound-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 speakup-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 squashfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 udf-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 uinput-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 usb-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 usb-serial-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 usb-storage-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 virtio-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 xfs-modules-4.9.0-8-amd64-di | 4.9.144-3.1 | amd64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:39:17 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: btrfs-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x crc-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x crypto-dm-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x crypto-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x dasd-extra-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x dasd-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x ext4-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x fat-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x fuse-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x isofs-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x kernel-image-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x linux-headers-4.9.0-8-all-s390x | 4.9.144-3.1 | s390x linux-headers-4.9.0-8-s390x | 4.9.144-3.1 | s390x linux-image-4.9.0-8-s390x | 4.9.144-3.1 | s390x linux-image-4.9.0-8-s390x-dbg | 4.9.144-3.1 | s390x loop-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x md-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x multipath-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x nbd-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x nic-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x scsi-core-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x scsi-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x udf-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x virtio-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x xfs-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x zlib-modules-4.9.0-8-s390x-di | 4.9.144-3.1 | s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:39:52 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-all | 4.9.144-3.1 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:40:18 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ata-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 btrfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 cdrom-core-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 crc-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 crypto-dm-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 crypto-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 efi-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 event-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 ext4-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 fat-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 fb-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 fuse-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 i2c-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 input-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 isofs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 jfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 kernel-image-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 leds-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 linux-headers-4.9.0-8-all-arm64 | 4.9.144-3.1 | arm64 linux-headers-4.9.0-8-arm64 | 4.9.144-3.1 | arm64 linux-image-4.9.0-8-arm64 | 4.9.144-3.1 | arm64 linux-image-4.9.0-8-arm64-dbg | 4.9.144-3.1 | arm64 loop-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 md-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 mmc-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 multipath-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nbd-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-shared-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-usb-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 nic-wireless-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 ppp-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 sata-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 scsi-core-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 scsi-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 squashfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 udf-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 uinput-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 usb-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 usb-storage-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 virtio-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 xfs-modules-4.9.0-8-arm64-di | 4.9.144-3.1 | arm64 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:41:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: crc-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel crypto-dm-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:42:04 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ata-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel btrfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel cdrom-core-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel crc-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel crypto-dm-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel crypto-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel event-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ext4-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel fat-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel fuse-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel hfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel i2c-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel input-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel isofs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel jfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel kernel-image-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel linux-headers-4.9.0-8-4kc-malta | 4.9.144-3.1 | mips, mipsel linux-image-4.9.0-8-4kc-malta | 4.9.144-3.1 | mips, mipsel linux-image-4.9.0-8-4kc-malta-dbg | 4.9.144-3.1 | mips, mipsel loop-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel md-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel minix-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel mmc-core-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel mmc-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel mouse-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel multipath-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nbd-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-shared-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-usb-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel nic-wireless-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ntfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel pata-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ppp-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel sata-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel scsi-core-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel scsi-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel sound-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel squashfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel udf-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel usb-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel usb-serial-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel usb-storage-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel virtio-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel xfs-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel zlib-modules-4.9.0-8-4kc-malta-di | 4.9.144-3.1 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:42:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ata-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el btrfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el cdrom-core-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el crc-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el crypto-dm-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el crypto-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el event-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ext4-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el fat-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el fuse-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el hfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el i2c-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el input-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el isofs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el jfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el kernel-image-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el linux-headers-4.9.0-8-all-mips64el | 4.9.144-3.1 | mips64el loop-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el md-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el minix-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el mmc-core-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el mmc-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el mouse-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el multipath-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nbd-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-shared-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-usb-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el nic-wireless-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ntfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el pata-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ppp-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el sata-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el scsi-core-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el scsi-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el sound-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el squashfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el udf-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el usb-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el usb-serial-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el usb-storage-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el virtio-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el xfs-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el zlib-modules-4.9.0-8-5kc-malta-di | 4.9.144-3.1 | mips64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:43:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: affs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ata-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel btrfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel cdrom-core-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel crc-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel crypto-dm-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel crypto-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel event-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ext4-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel fat-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel fb-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel firewire-core-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel fuse-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel hfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel input-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel isofs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel jfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel kernel-image-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel linux-headers-4.9.0-8-loongson-3 | 4.9.144-3.1 | mips64el, mipsel linux-image-4.9.0-8-loongson-3 | 4.9.144-3.1 | mips64el, mipsel linux-image-4.9.0-8-loongson-3-dbg | 4.9.144-3.1 | mips64el, mipsel loop-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel md-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nbd-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-shared-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-usb-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel nic-wireless-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ntfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel pata-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ppp-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel sata-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel scsi-core-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel scsi-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel sound-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel speakup-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel squashfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel udf-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel usb-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel usb-serial-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel usb-storage-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel virtio-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel xfs-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel zlib-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:43:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-all-mipsel | 4.9.144-3.1 | mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:43:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ata-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el btrfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el cdrom-core-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el crc-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el crypto-dm-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el crypto-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el event-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el ext4-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el fancontrol-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el fat-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el firewire-core-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el fuse-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el hypervisor-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el input-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el isofs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el jfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el kernel-image-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el linux-headers-4.9.0-8-all-ppc64el | 4.9.144-3.1 | ppc64el linux-headers-4.9.0-8-powerpc64le | 4.9.144-3.1 | ppc64el linux-image-4.9.0-8-powerpc64le | 4.9.144-3.1 | ppc64el linux-image-4.9.0-8-powerpc64le-dbg | 4.9.144-3.1 | ppc64el loop-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el md-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el mouse-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el multipath-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el nbd-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el nic-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el nic-shared-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el ppp-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el sata-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el scsi-core-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el scsi-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el serial-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el squashfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el udf-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el uinput-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el usb-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el usb-serial-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el usb-storage-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el virtio-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el xfs-modules-4.9.0-8-powerpc64le-di | 4.9.144-3.1 | ppc64el ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:44:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: uinput-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel usb-modules-4.9.0-8-marvell-di | 4.9.144-3.1 | armel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:44:51 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: minix-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel multipath-modules-4.9.0-8-loongson-3-di | 4.9.144-3.1 | mips64el, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:47:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-headers-4.9.0-8-common | 4.9.144-3.1 | all linux-headers-4.9.0-8-common-rt | 4.9.144-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:49:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: icedtea-plugin | 1.6.2-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by icedtea-web) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:49:49 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-support-4.9.0-8 | 4.9.144-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:56:57 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: linux-doc-4.9 | 4.9.144-3.1 | all linux-manual-4.9 | 4.9.144-3.1 | all linux-source-4.9 | 4.9.144-3.1 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by linux) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 27 Apr 2019 08:58:11 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: java-common | 0.58 | all ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by java-common) ---------------------------------------------- ========================================================================= ansible (2.2.1.0-2+deb9u1) stretch-security; urgency=high . * Add patch to fix CVE 2018-10855. * Add patch to fix CVE 2018-16837. * Add patch to fix CVE 2018-10875. * Add patch to fix CVE 2018-16876. * Add patch to fix CVE 2019-3828. apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium . [ Xavier Guimard ] * CVE-2018-17199: mode_session: Fix missing check for session expiry time. Closes: #920303 . [ Stefan Fritsch ] * mod_http2: Fix keepalive timeout behavior. This fixes a regression with Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103 * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper. Closes: #904150 * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies. Closes: #920302 * CVE-2019-0196: mod_http2: Fix read after free * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root. * CVE-2019-0217: mod_auth_digest: Access control bypass * CVE-2019-0220: URL normalization inconsistincy. Consecutive slashes in URL's are now merged before use in LocationMatch and RewriteRule. The old behavior can be restored with the new directive "MergeSlashes off". audiofile (0.3.6-4+deb9u1) stretch; urgency=medium . * CVE-2018-13440 (Closes: #903499) * CVE-2018-17095 (Closes: #913166) base-files (9.9+deb9u9) stretch; urgency=medium . * Change /etc/debian_version to 9.9, for Debian 9.9 point release. bwa (0.7.15-2+deb9u1) stretch; urgency=medium . * Team upload * Add patch from upstream to fix CVE-2019-10269. (Closes: #926014) ca-certificates-java (20170929~deb9u3) stretch; urgency=medium . * Team upload. * Fix printf syntax problem introduced in 20170929~deb9u2 ca-certificates-java (20170929~deb9u2) stretch; urgency=medium . * Team upload. * Address bashisms in postinst and jks-keystore (Closes: #922720) cernlib (20061220+dfsg3-4.3+deb9u2) stretch; urgency=medium . * Update patch 304-update-Imake-config-files.dpatch to force -no-pie when linking Fortran executables (workaround for #863152 being in the way of the previous fix) cernlib (20061220+dfsg3-4.3+deb9u1) stretch; urgency=medium . * Backport for stretch of the fix for #922453 bringed by 20061220+dfsg3-4.4 * 126-fix-patchy-compile-flags.dpatch 304-update-Imake-config-files.dpatch: fix these patches to apply optimization flag -O to fortran modules instead of -O2 which generates broken code (closes: #922453; thanks to Jacek M. Holeczek ) choose-mirror (2.79+deb9u1) stretch; urgency=medium . [ Cyril Brulebois ] * Update MIRRORLISTURL to point to salsa. . [ Julien Cristau ] * Update Mirrors.masterlist. chrony (3.0-4+deb9u2) stretch; urgency=medium . * debian/patches/*: - Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit plateforms to log the {raw}measurements and statistics information when the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute) for the report. (Closes: #923137) - Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop chronyd on some plateforms when the seccomp filter is enabled. ckermit (302-5.3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Drop check openssl compile time version vs runtime version (Closes: #917485). clamav (0.100.3+dfsg-0+deb9u1) stretch; urgency=medium . * New upstream security release - Fixes for the following vulnerabilities: - [CVE-2019-1787]: An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. - [CVE-2019-1789]: An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking. - [CVE-2019-1788]: An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application. * Update debian/copyright * Update private symbols for new upstream release clamav (0.100.2+dfsg-2) unstable; urgency=medium . * Increase clamd socket command read timeout to 30 seconds (Closes: #915098) clamav (0.100.2+dfsg-1) unstable; urgency=medium . * Import new upstream - Bump symbol version due to new version. - CVE-2018-15378 (Closes: #910430). * add NEWS.md and README.md from upstream * Fix infinite loop in dpkg-reconfigure, Patch by Santiago Ruano Rincón (Closes: #905044). coturn (4.5.0.5-1+deb9u1) stretch-security; urgency=high . * HotFix: for 3 vulnerabilities . For more details see: - CVE-2018-4056 coTURN Administrator Web Portal SQL injection vulnerability . Fix: Disable (hardcocded) web admin interface until 4.5.1.0, where it will be fixed more correctly. . - CVE-2018-4058 coTURN TURN server unsafe loopback forwarding default configuration vulnerability . Fix: Disable loopback-peer functionality by default. . - CVE-2018-4059 coTURN server unsafe telnet admin portal default configuration vulnerability . Fix: Disable telnet cli if the cli-password is empty. dansguardian (2.10.1.1-5.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add 'missingok' to logrotate config. (Closes: #916566) debian-installer (20170615+deb9u6) stretch; urgency=medium . * Bump Linux kernel version from 4.9.0-8 to 4.9.0-9. debian-installer-netboot-images (20170615+deb9u6) stretch; urgency=medium . * Update to 20170615+deb9u6 images, from stretch-proposed-update debian-security-support (2019.02.02~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch. * Re-add debian/compat and depend on debhelper instead of debhelper-compat. debian-security-support (2019.02.01) unstable; urgency=medium . * Team upload. * mark enigmail as unsupported in jessie diffoscope (78+deb9u1) stretch; urgency=medium . * tests: + Fix ps tests to pass with the new ghostscript 9.26. Closes: #925051 dns-root-data (2019031302~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * d/control: move Vcs-* to salsa.debian.org * d/control: use dns-root-data@packages.debian.org as Maintainer * sort generated .ds files by key tag * Update root.hints to 2018013001 * Update order of root.key to follow output of unbound-anchor * use DEP-14 branches * update root data to 2019031302 * parse-root-anchors.sh: account for validity windows * check: deliberately skip the TTL generated by ldns-key2ds * add myself to uploaders dns-root-data (2018091102) unstable; urgency=medium . * new upstream version of root.hints, 2018091102 * use DEP-14 branches * Standards-Version: 4.2.1 (no changes needed) * add Rules-Requires-Root: no * add baseline autopkgtest dns-root-data (2018013001) unstable; urgency=medium . * new upstream version of root.hints, 2018013001 * use wrap-and-sort -ast * added myself to uploaders * d/control: use dns-root-data@packages.debian.org as Maintainer * Standards-Version: bump to 4.1.3 (no changes needed) * d/control: move Vcs-* to salsa.debian.org * move to debhelper 11 * d/rules: clean up get_orig_source * sort generated .ds files by key tag * d/rules: trim trailing whitespace * d/copyright: Format: use https * d/copyright: add my own copyright to debian/* * d/copyright: name upstream data grant "ICANN-Public" * d/copyright: Source: use https: * update README.source to cover the different origins of the data * Update order of root.key to follow output of unbound-anchor dns-root-data (2017072601) unstable; urgency=medium . * Update root.hints to 2017072601 version dnsruby (1.54-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * add new root key (KSK-2017). upstream commit 55edc31a2150e4617edb6664d440e6141f535e6a (Closes: #908887) * ruby 2.3.0 deprecates TimeoutError, use Timeout::Error (Closes: #910754) dovecot (1:2.2.27-3+deb9u4) stretch-security; urgency=high . * [d402493] Fix two buffer overflows when reading oversized FTS headers and/or oversized POP3-UIDL headers (CVE-2019-7524). dovecot (1:2.2.27-3+deb9u3) stretch-security; urgency=high . * [1fb4e06] Fix CVE-2019-3814: TLS client auth username handling dpdk (16.11.9-1+deb9u1) stretch; urgency=medium . * Merge stable update to 16.11.9; For a list of changes see https://mails.dpdk.org/archives/announce/2019-March/000252.html drupal7 (7.52-2+deb9u8) stretch-security; urgency=high . * SA-CORE-2019-006: Fix XSS vulnerability (Closes: #927330) drupal7 (7.52-2+deb9u7) stretch-security; urgency=high . * SA-CORE-2019-004: Fix XSS vulnerability edk2 (0~20161202.7bbe0b3e-1+deb9u1) stretch; urgency=medium . * Security fixes (Closes: #924615): - Fix buffer overflow in BlockIo service (CVE-2018-12180) - DNS: Check received packet size before using (CVE-2018-12178) - Fix stack overflow with corrupted BMP (CVE-2018-12181) firefox-esr (60.6.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-10, also known as: CVE-2019-9810, CVE-2019-9813. firefox-esr (60.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-08, also known as: CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796, CVE-2018-18506, CVE-2019-9788. . * debian/rules: Disable debug symbols on mips/mipsel on buster. The rust compiler can't deal with them in the available address space. * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google API key configure options. firefox-esr (60.6.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-08, also known as: CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796, CVE-2018-18506, CVE-2019-9788. . * debian/rules: Disable debug symbols on mips/mipsel on buster. The rust compiler can't deal with them in the available address space. * debian/browser.mozconfig.in: Adjust to the upstream change wrt Google API key configure options. firefox-esr (60.5.1esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-05, also known as: CVE-2018-18356, CVE-2019-5785. . * debian/rules, debian/upstream.mk: Manually set the update channel. Closes: #921381, #921121, #921654. * debian/rules: Disable ion JIT on mips and mipsel. This should fix the FTBFS. firefox-esr (60.5.1esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-05, also known as: CVE-2018-18356, CVE-2019-5785. . * debian/rules, debian/upstream.mk: Manually set the update channel. Closes: #921381, #921121, #921654. * debian/rules: Disable ion JIT on mips and mipsel. This should fix the FTBFS. firefox-esr (60.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2019-02, also known as: CVE-2018-18500, CVE-2018-18505, CVE-2018-18501. firmware-nonfree (20161130-5) stretch; urgency=medium . [ Emilio Pozuelo Monfort ] * CVE-2018-5383: - atheros: Update BT firmware files for QCA ROME chip. - iwlwifi: Update Intel BT firmware to 20.60.0.2. flatpak (0.8.9-0+deb9u3) stretch; urgency=medium . * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch: Reject all ioctls that the kernel will interpret as TIOCSTI, including those where the high 32 bits in a 64-bit word are nonzero. (Closes: #925541, CVE-2019-10063) flatpak (0.8.9-0+deb9u2) stretch-security; urgency=medium . * d/p/Don-t-expose-proc-when-running-apply_extra.patch: Backport patch from upstream v1.2.3: do not let the apply_extra script for a system installation modify the host-side executable via /proc/self/exe, similar to CVE-2019-5736 in runc (Closes: #922059) ghostscript (9.26a~dfsg-0+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Have gs_cet.ps run from gs_init.ps * Undef /odef in gs_init.ps * Restrict superexec and remove it from internals and gs_cet.ps (CVE-2019-3835) (Closes: #925256) * Obliterate "superexec". We don't need it, nor do any known apps (CVE-2019-3835) (Closes: #925256) * Make a transient proc executeonly (in DefineResource) (CVE-2019-3838) (Closes: #925257) * an extra transient proc needs executeonly'ed (CVE-2019-3838) (Closes: #925257) gnome-chemistry-utils (0.14.15-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. . [ Adrian Bunk ] * Drop the obsolete gcu-plugin. (Closes: #906855, #890980) gocode (20150303-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * gocode-auto-complete-el: Promote auto-complete-el to Pre-Depends. (Closes: #911590) gpac (0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1) stretch; urgency=medium . * CVE-2018-7752 (Closes: #892526) * CVE-2018-13005, CVE-2018-13006 (Closes: #902782) * CVE-2018-20760, CVE-2018-20761, CVE-2018-20762, CVE-2018-20763 (Closes: #921969) icedtea-web (1.6.2-3.1+deb9u1) stretch; urgency=medium . * Stop building the browser plugin, no longer works with Firefox 60 igraph (0.7.1-2.1+deb9u1) stretch; urgency=medium . * Team upload. * Add patch from upstream to fix CVE-2018-20349. (Closes: #917211) ikiwiki (3.20170111.1) stretch-security; urgency=high . * aggregate: Use LWPx::ParanoidAgent if available. Previously blogspam, openid and pinger used this module if available, but aggregate did not. This prevents server-side request forgery or local file disclosure, and mitigates denial of service when slow "tarpit" URLs are accessed. (CVE-2019-9187) * blogspam, openid, pinger: Use a HTTP proxy if configured, even if LWPx::ParanoidAgent is installed. Previously, only aggregate would obey proxy configuration. If a proxy is used, the proxy (not ikiwiki) is responsible for preventing attacks like CVE-2019-9187. * aggregate, blogspam, openid, pinger: Do not access non-http, non-https URLs. Previously, these plugins would have allowed non-HTTP-based requests if LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local file disclosure, and preventing other rarely-used URI schemes like gopher mitigates request forgery attacks. * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly recommended. These plugins can request attacker-controlled URLs in some site configurations. * blogspam: Document LWPx::ParanoidAgent as desirable. This plugin doesn't request attacker-controlled URLs, so it's non-critical here. * blogspam, openid, pinger: Consistently use cookiejar if configured. Previously, these plugins would only obey this configuration if LWPx::ParanoidAgent was not installed, but this appears to have been unintended. jabref (3.8.1+ds-3+deb9u1) stretch; urgency=medium . [ gregor herrmann & tony mancill ] * Add patch from upstream commit to fix CVE-2018-1000652: XML External Entity attack. Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772) java-common (0.58+deb9u1) stretch; urgency=medium . * Remove default-java-plugin as the icedtea-web Xul plugin is going away * Also drop the Recommends: to default-java-plugin in default-jre jquery (3.1.1-2+deb9u1) stretch; urgency=medium . * Team upload * Add patch to prevent Object.prototype pollution (Closes: #927385, CVE-2019-11358) * Disable check-against-upstream-build test (autopkgtest) since file is now patched kauth (5.28.0-2+deb9u1) stretch; urgency=medium . * CVE-2019-7443 (Closes: #921995) ldb (2:1.1.27-1+deb9u1) stretch-security; urgency=high . * Fixes CVE-2019-3824: "Out of bound read in ldb_wildcard_compare" - Add CVE-2019-3824-master-v4-5-02.patch from upstream's bug 13773 - Update path in CVE-2019-3824-master-v4-5-02.patch libapache2-mod-auth-mellon (0.12.0-2+deb9u1) stretch-security; urgency=high . * Upload to stable-security (closes: #925197) - Auth bypass when used with reverse proxy [CVE-2019-3878] - Open redirect vulnerability in logout [CVE-2019-3877] libdate-holidays-de-perl (1.9-1+deb9u3) stretch; urgency=medium . * Mark Mar 8th (from 2019) and May 8th (only 2020) as public holidays (Berlin only). libdatetime-timezone-perl (1:2.09-1+2019a) stretch; urgency=medium . * Update to Olson database version 2019a. This update contains contemporary changes for Palestine and Metlakatla. liblivemedia (2016.11.28-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2019-6256: denial of service when processing get and post with identical x-session-cookie within the same tcp session. * CVE-2019-7314: use-after-free during RTSP stream termination. * CVE-2019-9215: malformed headers lead to invalid memory access in the parseAuthorizationHeader function. libreoffice (1:5.2.7-1+deb9u7) stretch; urgency=medium . * debian/patches/mention-java-common-package.diff: update message to reflect current config dir... * debian/patches/disableClassPathURLCheck.diff: revert openjdk is fixed . * debian/control.in: - make -core conflict against openjdk-8-jre-headless (= 8u181-b13-2~deb9u1) (closes: 913641#) and build-conflict against it libreoffice (1:5.2.7-1+deb9u6) stable; urgency=medium . * debian/patches/jp-JP-Reiwa.diff: Introduce next Japanese gengou era 'Reiwa', from libreoffice-6-1 branch libssh2 (1.7.0-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Possible integer overflow in transport read allows out-of-bounds write (CVE-2019-3855) (Closes: #924965) * Possible integer overflow in keyboard interactive handling allows out-of-bounds write (CVE-2019-3856) (Closes: #924965) * Possible integer overflow leading to zero-byte allocation and out-of-bounds write (CVE-2019-3857) (Closes: #924965) * Possible zero-byte allocation leading to an out-of-bounds read (CVE-2019-3858) (Closes: #924965) * Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859) (Closes: #924965) * Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860) (Closes: #924965) * Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) (Closes: #924965) * Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965) * Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes (CVE-2019-3863) (Closes: #924965) * Fixed misapplied patch for user auth. * moved MAX size declarations libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high . * Backport patch for CVE-2018-20340 (Closes: #921725) linux (4.9.168-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.162 - Revert "loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()" - Revert "loop: Get rid of loop_index_mutex" - Revert "loop: Fold __loop_release into loop_release" - scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached - [arm64] drm/msm: Unblock writer if reader closes file - [x86] ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field - [x86] ALSA: compress: prevent potential divide by zero bugs - [x86] thermal: int340x_thermal: Fix a NULL vs IS_ERR() check - [arm64,armhf] usb: dwc3: gadget: synchronize_irq dwc irq in suspend - [arm64,armhf] usb: dwc3: gadget: Fix the uninitialized link_state when udc starts - usb: gadget: Potential NULL dereference on allocation error - ASoC: dapm: change snprintf to scnprintf for possible overflow - [armhf] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow - [x86] drivers: thermal: int340x_thermal: Fix sysfs race condition - mac80211: fix miscounting of ttl-dropped frames - locking/rwsem: Fix (possible) missed wakeup - direct-io: allow direct writes to empty inodes - scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() - net: usb: asix: ax88772_bind return error when hw_reset fail - [ppc64el] ibmveth: Do not process frames after calling napi_reschedule - mac80211: don't initiate TDLS connection if station is not associated to AP - mac80211: Add attribute aligned(2) to struct 'action' - cfg80211: extend range deviation for DMG - [x86] svm: Fix AVIC incomplete IPI emulation - [x86] KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 - [powerpc*] Always initialize input array when calling epapr_hypercall() - [arm64] mmc: spi: Fix card detection during probe - mm: enforce min addr even if capable() in expand_downwards() (CVE-2019-9213) - [x86] uaccess: Don't leak the AC flag into __put_user() value evaluation https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.163 - USB: serial: option: add Telit ME910 ECM composition - USB: serial: cp210x: add ID for Ingenico 3070 - USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 - cpufreq: Use struct kobj_attribute instead of struct global_attr - ncpfs: fix build warning of strncpy - [x86] staging: comedi: ni_660x: fix missing break in switch statement - ip6mr: Do not call __IP6_INC_STATS() from preemptible context - net-sysfs: Fix mem leak in netdev_register_kobject - sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 - team: Free BPF filter when unregistering netdev - bnxt_en: Drop oversize TX packets to prevent errors. - [x86] hv_netvsc: Fix IP header checksum for coalesced packets - [armhf] net: dsa: mv88e6xxx: Fix u64 statistics - net: netem: fix skb length BUG_ON in __skb_to_sgvec - net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails - net: sit: fix memory leak in sit_init_net() - xen-netback: don't populate the hash cache on XenBus disconnect - xen-netback: fix occasional leak of grant ref mappings under memory pressure - net: Add __icmp_send helper. - tun: fix blocking read - tun: remove unnecessary memory barrier - net: phy: Micrel KSZ8061: link failure after cable connect - [x86] CPU/AMD: Set the CPB bit unconditionally on F17h - applicom: Fix potential Spectre v1 vulnerabilities - [mips*] irq: Allocate accurate order pages for irq stack - hugetlbfs: fix races and page leaks during migration - exec: Fix mem leak in kernel_read_file (CVE-2019-8980) - media: uvcvideo: Fix 'type' check leading to overflow - vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel - perf core: Fix perf_proc_update_handler() bug - perf tools: Handle TOPOLOGY headers with no CPU - IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM - [amd64] iommu/amd: Call free_iova_fast with pfn in map_sg - [amd64] iommu/amd: Unmap all mapped pages in error path of map_sg - ipvs: Fix signed integer overflow when setsockopt timeout - [amd64] iommu/amd: Fix IOMMU page flush when detach device from a domain - [arm64] net: hns: Fix for missing of_node_put() after of_parse_phandle() - [arm64] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol - [armhf] net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() - nfs: Fix NULL pointer dereference of dev_name - qed: Fix VF probe failure while FLR - scsi: libfc: free skb when receiving invalid flogi resp - [x86] platform: Fix unmet dependency warning for SAMSUNG_Q10 - cifs: fix computation for MAX_SMB2_HDR_SIZE - [arm64] kprobe: Always blacklist the KVM world-switch code - [x86] kexec: Don't setup EFI info if EFI runtime is not enabled - mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone - mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone - fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() - autofs: drop dentry reference only when it is never used - autofs: fix error return in autofs_fill_super() - vsock/virtio: fix kernel panic after device hot-unplug - vsock/virtio: reset connected sockets on device removal - netfilter: nf_nat: skip nat clash resolution for same-origin entries - [s390x] qeth: fix use-after-free in error path - perf symbols: Filter out hidden symbols from labels - [mips*] Remove function size check in get_frame_info() - fs: ratelimit __find_get_block_slow() failure message. - Input: wacom_serial4 - add support for Wacom ArtPad II tablet - Input: elan_i2c - add id for touchpad found in Lenovo s21e-20 - [x86] iscsi_ibft: Fix missing break in switch statement - scsi: aacraid: Fix missing break in switch statement - futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() - [armhf] dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3 - drm: disable uncached DMA optimization for ARM and arm64 - [armhf] dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 - [x86] perf/x86/intel: Make cpuc allocations consistent - [x86] perf/x86/intel: Generalize dynamic constraint creation - [x86] Add TSX Force Abort CPUID/MSR https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.164 - ACPICA: Reference Counts: increase max to 0x4000 for large servers - KEYS: restrict /proc/keys by credentials at open time - l2tp: fix infoleak in l2tp_ip6_recvmsg() - net: sit: fix UBSAN Undefined behaviour in check_6rd - pptp: dst_release sk_dst_cache in pptp_sock_destruct - route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race - tcp: handle inet_csk_reqsk_queue_add() failures - vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() - net/mlx4_core: Fix reset flow when in command polling mode - net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling - net/mlx4_core: Fix qp mtt size calculation - mdio_bus: Fix use-after-free on device_register fails - net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 - af_unix: missing barriers in some of unix_sock ->addr and ->path accesses - ipvlan: disallow userns cap_net_admin to change global mode/flags - vxlan: Fix GRO cells race condition between receive and link delete - rxrpc: Fix client call queueing, waiting for channel - gro_cells: make sure device is up in gro_cells_receive() - tcp/dccp: remove reqsk_put() from inet_child_forget() - [x86] perf: Fixup typo in stub functions - ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 - md: It's wrong to add len to sector_nr in raid10 reshape twice - of: Support const and non-const use for to_of_node() - vhost/vsock: fix vhost vsock cid hashing inconsistent https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.165 - media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() - 9p: use inode->i_lock to protect i_size_write() under 32-bit - 9p/net: fix memory leak in p9_client_create - [armhf] iio: adc: exynos-adc: Fix NULL pointer exception on unbind - crypto: ahash - fix another early termination in hash walk - [armhf] gpu: ipu-v3: Fix i.MX51 CSI control registers offset - [armhf] gpu: ipu-v3: Fix CSI offsets for imx53 - [s390x] dasd: fix using offset into zero size array error - [armhf] OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized - floppy: check_events callback should not return a negative number - mm/gup: fix gup_pmd_range() for dax - mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs - [arm64] net: hns: Fix object reference leaks in hns_dsaf_roce_reset() - [armhf] clk: sunxi: A31: Fix wrong AHB gate number - assoc_array: Fix shortcut creation - scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task - [arm64] pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins - qmi_wwan: apply SET_DTR quirk to Sierra WP7607 - [armel] net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() - [x86] ASoC: topology: free created components in tplg load error - [arm64] Relax GIC version check during early boot - [armhf] net: marvell: mvneta: fix DMA debug warning - tmpfs: fix link accounting when a tmpfile is linked in - mac80211_hwsim: propagate genlmsg_reply return code - [arm64] net: thunderx: make CFG_DONE message to run through generic send-ack sequence - nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K - nfp: bpf: fix ALU32 high bits clearance bug - net: set static variable an initial value in atl2_probe() - tmpfs: fix uninitialized return value in shmem_link - [x86] libnvdimm/label: Clear 'updating' flag after label-set update - [x86] libnvdimm/pmem: Honor force_raw for legacy pmem regions - [amd64] libnvdimm: Fix altmap reservation size calculation - crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails - [arm64] crypto: aes-ccm - fix logical bug in AAD MAC handling - CIFS: Do not reset lease state to NONE on lease break - CIFS: Fix read after write for files with read caching - tracing: Do not free iter->trace in fail path of tracing_open_pipe() - [amd64,arm64,i386] ACPI / device_sysfs: Avoid OF modalias creation for removed device - [armhf] spi: ti-qspi: Fix mmap read when more than one CS in use - [armhf] regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 - [armhf] regulator: s2mpa01: Fix step values for some LDOs - [armhf] clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR - [armhf] clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown - [s390x] virtio: handle find on invalid queue gracefully - scsi: virtio_scsi: don't send sc payload with tmfs - scsi: sd: Optimal I/O size should be a multiple of physical block size - scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock - fs/devpts: always delete dcache dentry-s in dput() - splice: don't merge into linked buffers - btrfs: ensure that a DUP or RAID1 block group has exactly two stripes - crypto: pcbc - remove bogus memcpy()s with src == dest - libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer - [arm64,armhf] cpufreq: tegra124: add missing of_node_put() - ext4: fix crash during online resizing - [armhf] clk: clk-twl6040: Fix imprecise external abort for pdmclk - [x86] nfit: acpi_nfit_ctl(): Check out_obj->type in the right place - mm: hwpoison: fix thp split handing in soft_offline_in_use_page() (CVE-2019-10124) - mm/vmalloc: fix size check for remap_vmalloc_range_partial() - kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv - device property: Fix the length used in PROPERTY_ENTRY_STRING() - [x86] intel_th: Don't reference unassigned outputs - parport_pc: fix find_superio io compare code, should use equal test. - [arm64,armhf] i2c: tegra: fix maximum transfer size - [x86] drm/i915: Relax mmap VMA check - [arm64] serial: uartps: Fix stuck ISR if RX disabled with non-empty FIFO - serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart - 8250: FIX Fourth port offset of Pericom PI7C9X7954 boards - serial: 8250_pci: Fix number of ports for ACCES serial cards - serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() - jbd2: clear dirty flag when revoking a buffer from an older transaction - jbd2: fix compile warning when using JBUFFER_TRACE - [powerpc] Clear on-stack exception marker upon exception return - [ppc64el] powernv: Make opal log only readable by root - [ppc64el] Fix 32-bit KVM-PR lockup and host crash with MacOS guest - [ppc64el] ptrace: Simplify vr_get/set() to avoid GCC warning - dm: fix to_sector() for 32bit - NFS: Fix I/O request leakages - NFS: Fix an I/O request leakage in nfs_do_recoalesce - NFS: Don't recoalesce on error in nfs_pageio_complete_mirror() - nfsd: fix memory corruption caused by readdir - nfsd: fix wrong check in write_v4_end_grace() - PM / wakeup: Rework wakeup source timer cancellation - bcache: never writeback a discard operation - [x86] perf intel-pt: Fix CYC timestamp calculation after OVF - perf auxtrace: Define auxtrace record alignment - [x86] perf intel-pt: Fix overlap calculation for padding - [x86] perf intel-pt: Fix divide by zero when TSC is not available - md: Fix failed allocation of md_register_thread - rcu: Do RCU GP kthread self-wakeup from softirq and interrupt - media: uvcvideo: Avoid NULL pointer dereference at the end of streaming - drm/radeon/evergreen_cs: fix missing break in switch statement - [x86] KVM: nVMX: Sign extend displacements of VMX instr's mem operands - [x86] KVM: nVMX: Ignore limit checks on VMX instructions using flat segments - [x86] KVM: Fix residual mmio emulation request to userspace https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.166 - [x86] drm/vmwgfx: Don't double-free the mode stored in par->set_mode - [amd64] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE - libceph: wait for latest osdmap in ceph_monc_blacklist_add() - udf: Fix crash on IO error during truncate - [mips*] Ensure ELF appended dtb is relocated - [mips*] Fix kernel crash for R6 in jump label branch function - futex: Ensure that futex address is aligned in handle_futex_death() - objtool: Move objtool_file struct off the stack - ext4: fix NULL pointer dereference while journal is aborted - ext4: fix data corruption caused by unaligned direct AIO - ext4: brelse all indirect buffer in ext4_ind_remove_space() - media: v4l2-ctrls.c/uvc: zero v4l2_event - Bluetooth: Fix decrementing reference count twice in releasing socket - ALSA: hda - Record the current power state before suspend/resume calls - ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec - tcp/dccp: drop SYN packets if accept queue is full - vfs: Hang/soft lockup in d_invalidate with simultaneous calls - [arm64] traps: disable irq in die() - lib/int_sqrt: optimize small argument - scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 - rtc: Fix overflow when converting time64_t to rtc_time - [armhf] pwm-backlight: Enable/disable the PWM before/after LCD enable toggle. - ath10k: avoid possible string overflow https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.167 - Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (CVE-2019-3460) - Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer (CVE-2019-3459) - cfg80211: size various nl80211 messages correctly - [arm64,armhf] stmmac: copy unicast mac address to MAC registers - dccp: do not use ipv6 header for ipv4 flow - mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S - net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec - net: rose: fix a possible stack overflow - packets: Always register packet sk in the same order - tcp: do not use ipv6 header for ipv4 flow - vxlan: Don't call gro_cells_destroy() before device is unregistered - sctp: get sctphdr by offset in sctp_compute_cksum - tun: properly test for IFF_UP - tun: add a missing rcu_read_unlock() in error path - btrfs: remove WARN_ON in log_dir_items - btrfs: raid56: properly unmap parity page in finish_parity_scrub() - [powerpc*] bpf: Fix generation of load/store DW instructions - NFSv4.1 don't free interrupted slot on open - ALSA: rawmidi: Fix potential Spectre v1 vulnerability - ALSA: pcm: Fix possible OOB access in PCM oss plugins - ALSA: pcm: Don't suspend stream in unrecoverable PCM state - fs/open.c: allow opening only regular files during execve() - scsi: sd: Fix a race between closing an sd device and sd I/O - scsi: sd: Quiesce warning if device does not report optimal I/O size - [s390x] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host - [s390x] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices - [x86] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest - USB: serial: cp210x: add new device id - USB: serial: ftdi_sio: add additional NovaTech products - USB: serial: mos7720: fix mos_parport refcount imbalance on error path - USB: serial: option: set driver_info for SIM5218 and compatibles - USB: serial: option: add Olicard 600 - fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links - usb: common: Consider only available nodes for dr_mode - [x86] perf intel-pt: Fix TSC slip - cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n - KVM: Reject device ioctls from processes other than the VM's creator - [x86] KVM: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts - USB: gadget: f_hid: fix deadlock in f_hidg_write() - xhci: Fix port resume done detection for SS ports with LPM enabled - [arm64] support keyctl() system call in 32-bit mode https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.168 - [arm64] debug: Don't propagate UNKNOWN FAR into si_code for debug signals - ext4: cleanup bh release code in ext4_ind_remove_space() - lib/int_sqrt: optimize initial value compute - mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified - i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA - CIFS: fix POSIX lock leak and invalid ptr deref - tracing: kdb: Fix ftdump to not sleep - [armhf] gpio: gpio-omap: fix level interrupt idling - include/linux/relay.h: fix percpu annotation in struct rchan - sysctl: handle overflow for file-max - [arm64] scsi: hisi_sas: Set PHY linkrate when disconnected - [armhf,ppc64el] mm/cma.c: cma_declare_contiguous: correct err handling - mm/page_ext.c: fix an imbalance with kmemleak - mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! - mm/slab.c: kmemleak no scan alien caches - ocfs2: fix a panic problem caused by o2cb_ctl - fs/file.c: initialize init_files.resize_wait - cifs: use correct format characters - dm thin: add sanity checks to thin-pool and external snapshot creation - cifs: Fix NULL pointer dereference of devname - jbd2: fix invalid descriptor block checksum - fs: fix guard_bio_eod to check for real EOD errors - wil6210: check null pointer in _wil_cfg80211_merge_extra_ies - [arm64,armhf] usb: chipidea: Grab the (legacy) USB PHY by phandle first - scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c - [armel,armhf] 8840/1: use a raw_spinlock_t in unwind - [armhf] mmc: omap: fix the maximum timeout setting - e1000e: Fix -Wformat-truncation warnings - IB/mlx4: Increase the timeout for CM cache - scsi: megaraid_sas: return error when create DMA pool failed - [armhf] SoC: imx-sgtl5000: add missing put_device() - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 - [amd64] HID: intel-ish-hid: avoid binding wrong ishtp_cl_device - [armhf] leds: lp55xx: fix null deref on firmware load failure - iwlwifi: pcie: fix emergency path - [x86] ACPI / video: Refactor and fix dmi_is_desktop() - kprobes: Prohibit probing on bsearch() - ALSA: PCM: check if ops are defined before suspending PCM - usb: f_fs: Avoid crash due to out-of-scope stack ptr access - bcache: fix input overflow to cache set sysfs file io_error_halflife - bcache: fix input overflow to sequential_cutoff - bcache: improve sysfs_strtoul_clamp() - genirq: Avoid summation loops for /proc/stat - iw_cxgb4: fix srqidx leak during connection abort - fbdev: fbmem: fix memory access if logo is bigger than the screen - cdrom: Fix race condition in cdrom_sysctl_register - e1000e: fix cyclic resets at link up with active tx - efi/memattr: Don't bail on zero VA if it equals the region's PA - [arm64] soc: qcom: gsbi: Fix error handling in gsbi_probe() - [armhf] avoid Cortex-A9 livelock on tight dmb loops - tty: increase the default flip buffer limit to 2*640K - [ppc64el] powerpc/pseries: Perform full re-add of CPU for topology update post-migration - hwrng: virtio - Avoid repeated init of completion - [arm64,armhf] soc/tegra: fuse: Fix illegal free of IO base address - [amd64] HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR busy_clear bit - [x86] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable - [armhf] dmaengine: imx-dma: fix warning comparison of distinct pointer types - [arm64] dmaengine: qcom_hidma: assign channel cookie correctly - netfilter: physdev: relax br_netfilter dependency - [armhf] regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting - drm/nouveau: Stop using drm_crtc_force_disable - selinux: do not override context on context mounts - [arm64,armhf] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure - [arm64,armhf] dmaengine: tegra: avoid overflow of byte tracking - drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers - [x86] ACPI / video: Extend chassis-type detection with a "Lunch Box" check . [ Ben Hutchings ] * debian/bin/abiupdate.py: Change default URLs to use https: scheme. * Resolve kernel ABI changes: - Revert "genirq: Avoid summation loops for /proc/stat" - tracing: ring_buffer: Avoid ABI change in 4.9.168 - net: icmp: Avoid ABI change in 4.9.163 - Revert "phonet: fix building with clang" - netfilter: Ignore removal of br_netfilter_enable() . [ Salvatore Bonaccorso ] * Refresh mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch for context changes in 4.9.162 * [rt] Refresh 0008-futex-rt_mutex-Provide-futex-specific-rt_mutex-API.patch for context changes in 4.9.163 * [rt] Drop 0014-futex-rt_mutex-Restructure-rt_mutex_finish_proxy_loc.patch applied upstream in 4.9.163 * [rt] Refresh 0171-arm-include-definition-for-cpumask_t.patch for context changes in 4.9.165 * [rt] Drop 0256-arm-unwind-use-a-raw_spin_lock.patch linux (4.9.161-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.145 - [armhf] media: omap3isp: Unregister media device as first - [amd64] iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() - brcmutil: really fix decoding channel info for 160 MHz bandwidth - HID: input: Ignore battery reported by Symbol DS4308 - batman-adv: Expand merged fragment buffer for full packet - bnx2x: Assign unique DMAE channel number for FW DMAE transactions. - qed: Fix PTT leak in qed_drain() - qed: Fix reading wrong value in loop condition - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command - net/mlx4_core: Fix uninitialized variable compilation warning - net/mlx4: Fix UBSAN warning of signed integer overflow - [amd64] iommu/vt-d: Use memunmap to free memremap - team: no need to do team_notify_peers or team_mcast_rejoin when disabling port - mm: don't warn about allocations which stall for too long - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device - usb: appledisplay: Add 27" Apple Cinema Display - USB: check usb_get_extra_descriptor for proper size (CVE-2018-20169) - ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (CVE-2018-19824) - [x86] ALSA: hda: Add support for AMD Stoney Ridge - ALSA: pcm: Fix starvation on down_write_nonblock() - ALSA: pcm: Call snd_pcm_unlink() conditionally at closing - ALSA: pcm: Fix interval evaluation with openmin/max - [x86] ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570 - [s390x] virtio: avoid race on vcdev->config - [s390x] virtio: fix race in ccw_io_helper() - SUNRPC: Fix leak of krb5p encode pages - [armhf] dmaengine: cppi41: delete channel from pending list when stop channel - xhci: Prevent U1/U2 link pm states if exit latency is too long - swiotlb: clean up reporting - vsock: lookup and setup guest_cid inside vhost_vsock_lock - vhost/vsock: fix use-after-free in network stack callers (CVE-2018-14625) - cifs: Fix separator when building path from dentry - staging: rtl8712: Fix possible buffer overrun - tty: do not set TTY_IO_ERROR flag if console port - mac80211_hwsim: Timer should be initialized before device registered - mac80211: Clear beacon_int in ieee80211_do_stop - mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext - mac80211: fix reordering of buffered broadcast packets - mac80211: ignore NullFunc frames in the duplicate detection https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.146 - ipv6: Check available headroom in ip6_xmit() even without options - net: 8139cp: fix a BUG triggered by changing mtu with network traffic - net/mlx4_core: Correctly set PFC param if global pause is turned off. - net: phy: don't allow __set_phy_supported to add unsupported modes - net: Prevent invalid access to skb->prev in __qdisc_drop_all - rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices - tcp: fix NULL ref in tail loss probe - tun: forbid iface creation with rtnl ops - neighbour: Avoid writing before skb->head in neigh_hh_output() - [armhf] OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup - sysv: return 'err' instead of 0 in __sysv_write_inode - [s390x] cpum_cf: Reject request for sampling in event initialization - [armhf] ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing - ASoC: dapm: Recalculate audio map forcely when card instantiated - hwmon: (w83795) temp4_type has writable permission - objtool: Fix double-free in .cold detection error path - objtool: Fix segfault in .cold detection with -ffunction-sections - Btrfs: send, fix infinite loop due to directory rename dependencies - RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR - [armhf] ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE - [armhf] ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE - exportfs: do not read dentry after free - bpf: fix check of allowed specifiers in bpf_trace_printk - ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf - [arm64] net: thunderx: fix NULL pointer dereference in nic_remove - cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active - igb: fix uninitialized variables - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps - [arm64] net: hisilicon: remove unexpected free_netdev - drm/ast: fixed reading monitor EDID not stable issue - fscache: fix race between enablement and dropping of object - ocfs2: fix deadlock caused by ocfs2_defrag_extent() - hfs: do not free node before using - hfsplus: do not free node before using - ocfs2: fix potential use after free - pstore: Convert console write to use ->write_buf - staging: speakup: Replace strncpy with memcpy https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.147 - signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack (Closes: #904385) - timer/debug: Change /proc/timer_list from 0444 to 0400 - [armhf] pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 - aio: fix spectre gadget in lookup_ioctx - [armhf] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 - [arm*] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt - tracing: Fix memory leak in set_trigger_filter() - tracing: Fix memory leak of instance function hash filters - [powerpc*] msi: Fix NULL pointer access in teardown code - Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" - [x86] drm/i915/execlists: Apply a full mb before execution for Braswell - mac80211: don't WARN on bad WMM parameters from buggy APs - mac80211: Fix condition validating WMM IE - [amd64] IB/hfi1: Remove race conditions in user_sdma send path - [x86] locking: Remove smp_read_barrier_depends() from queued_spin_lock_slowpath() - [x86] locking/qspinlock: Ensure node is initialised before updating prev->next - [x86] locking/qspinlock: Bound spinning on pending->locked transition in slowpath - [x86] locking/qspinlock: Merge 'struct __qspinlock' into 'struct qspinlock' - [x86] locking/qspinlock: Remove unbounded cmpxchg() loop from locking slowpath - [x86] locking/qspinlock: Remove duplicate clear_pending() function from PV code - [x86] locking/qspinlock: Kill cmpxchg() loop when claiming lock from head of queue - [x86] locking/qspinlock: Re-order code - [x86] locking/qspinlock/x86: Increase _Q_PENDING_LOOPS upper bound - [x86] locking/qspinlock, x86: Provide liveness guarantee - [x86] locking/qspinlock: Fix build for anonymous union in older GCC compilers - mac80211_hwsim: fix module init error paths for netlink - scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset - [x86] scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload - [x86] earlyprintk/efi: Fix infinite loop on some screen widths - [arm64] drm/msm: Grab a vblank reference when waiting for commit_done - bonding: fix 802.3ad state sent to partner when unbinding slave - nfs: don't dirty kernel pages read by direct-io - SUNRPC: Fix a potential race in xprt_connect() - [arm64] clk: mvebu: Off by one bugs in cp110_of_clk_get() - [armhf] Input: omap-keypad - fix keyboard debounce configuration - libata: whitelist all SAMSUNG MZ7KM* solid-state disks - [armhf] mv88e6060: disable hardware level MAC learning - net/mlx4_en: Fix build break when CONFIG_INET is off - bpf: check pending signals while verifying programs - [arm*] 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling - [arm*] 8815/1: V7M: align v7m_dma_inv_range() with v7 counterpart - drm/ast: Fix connector leak during driver unload - cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) - vhost/vsock: fix reset orphans race with close timeout - [x86] i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node - nvmet-rdma: fix response use after free - [armhf] rtc: snvs: add a missing write sync - [armhf] rtc: snvs: Add timeouts to avoid kernel lockups https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.148 - block: break discard submissions into the user defined size - block: fix infinite loop if the device loses discard capability - ib_srpt: Fix a use-after-free in __srpt_close_all_ch() - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (CVE-2018-19985) - xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only - USB: serial: option: add GosunCn ZTE WeLink ME3630 - USB: serial: option: add HP lt4132 - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) - USB: serial: option: add Fibocom NL668 series - USB: serial: option: add Telit LN940 series - mmc: core: Reset HPI enabled state during re-init and in case of errors - mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support - mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl - [armhf] mmc: omap_hsmmc: fix DMA API warning - [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels - [x86] mtrr: Don't copy uninitialized gentry fields back to userspace - [x86] fpu: Disable bottom halves while loading FPU registers - ubifs: Handle re-linking of inodes correctly while recovery - panic: avoid deadlocks in re-entrant console drivers - proc/sysctl: don't return ENOMEM on lookup when a table is unregistering - drm/ioctl: Fix Spectre v1 vulnerabilities https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.149 - ip6mr: Fix potential Spectre v1 vulnerability - ipv4: Fix potential Spectre v1 vulnerability - ax25: fix a use-after-free in ax25_fillin_cb() - [ppc64el] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path - ieee802154: lowpan_header_create check must check daddr - ipv6: explicitly initialize udp6_addr in udp_sock_create6() - ipv6: tunnels: fix two use-after-free - isdn: fix kernel-infoleak in capi_unlocked_ioctl - net: ipv4: do not handle duplicate fragments as overlapping - net: phy: Fix the issue that netif always links up after resuming - netrom: fix locking in nr_find_socket() - packet: validate address length - packet: validate address length if non-zero - sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event - tipc: fix a double kfree_skb() - vhost: make sure used idx is seen before log in vhost_add_used_n() - [x86] VSOCK: Send reset control packet when socket is partially bound - xen/netfront: tolerate frags with no data - tipc: use lock_sock() in tipc_sk_reinit() - tipc: compare remote and local protocols in tipc_udp_enable() - gro_cell: add napi_disable in gro_cells_destroy - net/mlx5e: Remove the false indication of software timestamping support - net/mlx5: Typo fix in del_sw_hw_rule - sock: Make sock->sk_stamp thread-safe - ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() - ALSA: rme9652: Fix potential Spectre v1 vulnerability - ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities - ALSA: pcm: Fix potential Spectre v1 vulnerability - ALSA: emux: Fix potential Spectre v1 vulnerabilities - ALSA: hda: add mute LED support for HP EliteBook 840 G4 - [arm64,armhf] ALSA: hda/tegra: clear pending irq handlers - USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays - USB: serial: option: add Fibocom NL678 series - qmi_wwan: apply SET_DTR quirk to the SIMCOM shared device ID - Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G - [x86] KVM: Use jmp to invoke kvm_spurious_fault() from .fixup - platform-msi: Free descriptors in platform_msi_domain_free() - perf pmu: Suppress potential format-truncation warning - ext4: fix possible use after free in ext4_quota_enable - ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() - ext4: fix EXT4_IOC_GROUP_ADD ioctl - ext4: include terminating u32 in size of xattr entries when expanding inodes - ext4: force inode writes when nfsd calls commit_metadata() - [arm64,armhf] spi: bcm2835: Fix race on DMA termination - [arm64,armhf] spi: bcm2835: Fix book-keeping of DMA termination - [arm64,armhf] spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode - [armhf] clk: rockchip: fix typo in rk3188 spdif_frac parent - cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. - f2fs: fix validation of the block count in sanity_check_raw_super - media: vivid: free bitmap_cap when updating std/timings/etc. - media: v4l2-tpg: array index could become negative - [mips*] Ensure pmd_present() returns false after pmd_mknotpresent() - [mips*] OCTEON: mark RGMII interface disabled on OCTEON III - CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem - [x86] kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested - [arm64] KVM: Avoid setting the upper 32 bits of VTCR_EL2 to 1 - [armhf] rtc: m41t80: Correct alarm month range with RTC reads - [x86] tpm: tpm_i2c_nuvoton: use correct command duration for TPM 2.x - [arm64,armhf] spi: bcm2835: Unbreak the build of esoteric configs https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.150 - [arm64] pinctrl: meson: fix pull enable register calculation - Input: restore EV_ABS ABS_RESERVED - xfrm: Fix bucket count reported to userspace - netfilter: seqadj: re-load tcp header pointer after possible head reallocation - scsi: bnx2fc: Fix NULL dereference in error handling - [armhf] Input: omap-keypad - fix idle configuration to not block SoC idle states - netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel - bnx2x: Clear fip MAC when fcoe offload support is disabled - bnx2x: Remove configured vlans as part of unload sequence. - bnx2x: Send update-svid ramrod with retry/poll flags enabled - scsi: target: iscsi: cxgbit: fix csk leak - scsi: target: iscsi: cxgbit: add missing spin_lock_init() - [arm64] net: hns: Incorrect offset address used for some registers. - [arm64] net: hns: All ports can not work when insmod hns ko after rmmod. - [arm64] net: hns: Some registers use wrong address according to the datasheet. - [arm64] net: hns: Fixed bug that netdev was opened twice - [arm64] net: hns: Clean rx fbd when ae stopped. - [arm64] net: hns: Free irq when exit from abnormal branch - [arm64] net: hns: Avoid net reset caused by pause frames storm - [arm64] net: hns: Fix ntuple-filters status error. - net: hns: Add mac pcs config when enable|disable mac - SUNRPC: Fix a race with XPRT_CONNECTING - lan78xx: Resolve issue with changing MAC address - vxge: ensure data0 is initialized in when fetching firmware version information - net: netxen: fix a missing check and an uninitialized use - [s390x] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown - libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature() - fork: record start_time late - hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined - mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL - mm, devm_memremap_pages: kill mapping "System RAM" support - sunrpc: fix cache_head leak due to queued request - sunrpc: use SVC_NET() in svcauth_gss_* functions - [mips*] math-emu: Write-protect delay slot emulation pages - [amd64] crypto: x86/chacha20 - avoid sleeping with preemption disabled - vhost/vsock: fix uninitialized vhost_vsock->guest_cid - [amd64] IB/hfi1: Incorrect sizing of sge for PIO will OOPs - ALSA: cs46xx: Potential NULL dereference in probe - ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() - ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks - dlm: fixed memory leaks after failed ls_remove_names allocation - dlm: possible memory leak on error path in create_lkb() - dlm: lost put_lkb on error path in receive_convert() and receive_unlock() - dlm: memory leaks on error path in dlm_user_request() - gfs2: Get rid of potential double-freeing in gfs2_create_inode - gfs2: Fix loop in gfs2_rbm_find - b43: Fix error in cordic routine - [powerpc*] tm: Set MSR[TS] just prior to recheckpoint - 9p/net: put a lower bound on msize - rxe: fix error completion wr_id and qp_num - [amd64] iommu/vt-d: Handle domain agaw being less than iommu agaw - ceph: don't update importing cap's mseq when handing cap export - [ppc64el] genwqe: Fix size check - [x86] intel_th: msu: Fix an off-by-one in attribute store - [i386] power: supply: olpc_battery: correct the temperature units - [arm64,armhf] drm/vc4: Set ->is_yuv to false when num_planes == 1 - bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.151 - ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 - CIFS: Do not hide EINTR after sending network packets - cifs: Fix potential OOB access of lock element array - usb: cdc-acm: send ZLP for Telit 3G Intel based modems - USB: storage: don't insert sane sense for SPC3+ when bad sense specified - USB: storage: add quirk for SMI SM3350 - USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB - slab: alien caches must not be initialized if the allocation of the alien cache failed - mm: page_mapped: don't assume compound page is huge or THP - ACPI: power: Skip duplicate power resource references in _PRx - i2c: dev: prevent adapter retries and timeout being set as minus value - rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set - ext4: make sure enough credits are reserved for dioread_nolock writes - ext4: fix a potential fiemap/page fault deadlock w/ inline_data - ext4: avoid kernel warning when writing the superblock to a dead device - sunrpc: use-after-free in svc_process_common() (CVE-2018-16884) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.152 - tty/ldsem: Wake up readers after timed out down_write() - tty: Hold tty_ldisc_lock() during tty_reopen() - tty: Simplify tty->count math in tty_reopen() - tty: Don't hold ldisc lock in tty_reopen() if ldisc present - can: gw: ensure DLC boundaries after CAN frame modification (CVE-2019-3701) - Revert "f2fs: do not recover from previous remained wrong dnodes" - media: em28xx: Fix misplaced reset of dev->v4l::field_count - proc: Remove empty line in /proc/self/status - [arm64] kvm: consistently handle host HCR_EL2 flags - [arm64] Don't trap host pointer auth use to EL2 - ipv6: fix kernel-infoleak in ipv6_local_error() - net: bridge: fix a bug on using a neighbour cache entry without checking its state - packet: Do not leak dev refcounts on error exit - bonding: update nest level on unlink - ip: on queued skb use skb_header_pointer instead of pskb_may_pull - crypto: authencesn - Avoid twice completion call in decrypt path - crypto: authenc - fix parsing key with misaligned rta_len - btrfs: wait on ordered extents on abort cleanup - Yama: Check for pid death before checking ancestry - scsi: core: Synchronize request queue PM status only on successful resume - scsi: sd: Fix cache_type_store() - [arm64] kaslr: ensure randomized quantities are clean to the PoC - [mips*] Disable MSI also when pcie-octeon.pcie_disable on - media: vivid: fix error handling of kthread_run - media: vivid: set min width/height to a value > 0 - LSM: Check for NULL cred-security on free - media: vb2: vb2_mmap: move lock up - sunrpc: handle ENOMEM in rpcb_getport_async - netfilter: ebtables: account ebt_table_info to kmemcg - selinux: fix GPF on invalid policy - blockdev: Fix livelocks on loop device - sctp: allocate sctp_sockaddr_entry with kzalloc - tipc: fix uninit-value in tipc_nl_compat_link_reset_stats - tipc: fix uninit-value in tipc_nl_compat_bearer_enable - tipc: fix uninit-value in tipc_nl_compat_link_set - tipc: fix uninit-value in tipc_nl_compat_name_table_dump - tipc: fix uninit-value in tipc_nl_compat_doit - block/loop: Use global lock for ioctl() operation. - loop: Fold __loop_release into loop_release - loop: Get rid of loop_index_mutex - loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() - drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock - mm, memcg: fix reclaim deadlock with writeback - media: vb2: be sure to unlock mutex on errors - nbd: set the logical and physical blocksize properly - nbd: Use set_blocksize() to set device blocksize https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.153 - r8169: Add support for new Realtek Ethernet - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses - [x86] platform: asus-wmi: Tell the EC the OS will handle the display off hotkey - e1000e: allow non-monotonic SYSTIM readings - writeback: don't decrement wb->refcnt if !wb->bdi - [arm64,armhf] serial: set suppress_bind_attrs flag only if builtin - ALSA: oxfw: add support for APOGEE duet FireWire - [arm64] perf: set suppress_bind_attrs flag to true - selinux: always allow mounting submounts - rxe: IB_WR_REG_MR does not capture MR's iova field - jffs2: Fix use of uninitialized delayed_work, lockdep breakage - pstore/ram: Do not treat empty buffers as valid - [ppc64el] powerpc/xmon: Fix invocation inside lock region - [powerpc*] powerpc/pseries/cpuidle: Fix preempt warning - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info - net: call sk_dst_reset when set SO_DONTROUTE - scsi: target: use consistent left-aligned ASCII INQUIRY data - [armhf] clk: imx6q: reset exclusive gates on init - tty/serial: do not free trasnmit buffer page under port lock - [x86] perf intel-pt: Fix error with config term "pt=0" - perf svghelper: Fix unchecked usage of strncpy() - perf parse-events: Fix unchecked usage of strncpy() - dm kcopyd: Fix bug causing workqueue stalls - dm snapshot: Fix excessive memory usage and workqueue stalls - ALSA: bebob: fix model-id of unit for Apogee Ensemble - sysfs: Disable lockdep for driver bind/unbind files - scsi: smartpqi: correct lun reset issues - scsi: megaraid: fix out-of-bound array accesses - ocfs2: fix panic due to unrecovered local alloc - mm/page-writeback.c: don't break integrity writeback on ->writepage() error - mm, proc: be more verbose about unstable VMA flags in /proc//smaps - [arm64] ipmi:ssif: Fix handling of multi-part return messages - locking/qspinlock: Pull in asm/byteorder.h to ensure correct endianness https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.154 - net: bridge: Fix ethernet header pointer before check skb forwardable - net: Fix usage of pskb_trim_rcsum - openvswitch: Avoid OOB read when parsing flow nlattrs - vhost: log dirty page correctly - net: ipv4: Fix memory leak in network namespace dismantle - net_sched: refetch skb protocol for each filter - ipfrag: really prevent allocation on netns exit - USB: serial: simple: add Motorola Tetra TPG2200 device id - USB: serial: pl2303: add new PID to support PL2303TB - [x86] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages - [s390x] early: improve machine detection - [s390x] smp: fix CPU hotplug deadlock with CPU rescan - [x86] char/mwave: fix potential Spectre v1 vulnerability - staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 - tty: Handle problem if line discipline does not have receive_buf - uart: Fix crash in uart_write and uart_put_char - [x86] tty/n_hdlc: fix __might_sleep warning - CIFS: Fix possible hang during async MTU reads and writes - Input: xpad - add support for SteelSeries Stratus Duo - compiler.h: enable builtin overflow checkers and add fallback code - Input: uinput - fix undefined behavior in uinput_validate_absinfo() - [x86] acpi/nfit: Block function zero DSMs - [x86] acpi/nfit: Fix command-supported detection - dm thin: fix passdown_double_checking_shared_status() - [x86] KVM: Fix single-step debugging - [x86] kaslr: Fix incorrect i8254 outb() parameters - can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it - can: bcm: check timer values before ktime conversion - vt: invoke notifier on screen size change - perf unwind: Unwind with libdw doesn't take symfs into account - perf unwind: Take pgoff into account when reporting elf to libdwfl - [arm64] irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size - [s390x] smp: Fix calling smp_call_ipl_cpu() from ipl CPU - nvmet-rdma: Add unlikely for response allocated check - nvmet-rdma: fix null dereference under heavy load - f2fs: read page index before freeing - btrfs: fix error handling in btrfs_dev_replace_start - btrfs: dev-replace: go back to suspended state if target device is missing https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.155 - Fix "net: ipv4: do not handle duplicate fragments as overlapping" - fs: add the fsnotify call to vfs_iter_write - ipv6: Consider sk_bound_dev_if when binding a socket to an address (Closes: #918103) - l2tp: copy 4 more bytes to linear part if necessary - net/mlx4_core: Add masking for a few queries on HCA caps - netrom: switch to sock timer API - net/rose: fix NULL ax25_cb kernel panic - net/mlx5e: Allow MAC invalidation while spoofchk is ON - l2tp: remove l2specific_len dependency in l2tp_core - l2tp: fix reading optional fields of L2TPv3 - ipvlan, l3mdev: fix broken l3s mode wrt local routes - CIFS: Do not count -ENODATA as failure for query directory - fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() - [arm64] kaslr: ensure randomized quantities are clean also when kaslr is off - [arm64] hyp-stub: Forbid kprobing of the hyp-stub - [arm64] hibernate: Clean the __hyp_text to PoC after resume - gfs2: Revert "Fix loop in gfs2_rbm_find" - [x86] platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK - [x86] platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes - [arm64,armhf] mmc: sdhci-iproc: handle mmc_of_parse() errors during probe - kernel/exit.c: release ptraced tasks before zap_pid_ns_processes - mm, oom: fix use-after-free in oom_kill_process - mm: hwpoison: use do_send_sig_info() instead of force_sig() - mm: migrate: don't rely on __PageMovable() of newpage after unlocking it - cifs: Always resolve hostname before reconnecting - drivers: core: Remove glue dirs from sysfs earlier - fs: don't scan the inode cache before SB_BORN is set - fanotify: fix handling of events on child sub-directory https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.156 - drm/bufs: Fix Spectre v1 vulnerability - [x86] ASoC: Intel: mrfld: fix uninitialized variable access - [armhf] gpu: ipu-v3: image-convert: Prevent race between run and unprepare - scsi: lpfc: Correct LCB RJT handling - [armhf] 8808/1: kexec:offline panic_smp_self_stop CPU - dlm: Don't swamp the CPU with callbacks queued during recovery - [x86] PCI: Fix Broadcom CNB20LE unintended sign extension (redux) - [ppc64el] powerpc/pseries: add of_node_put() in dlpar_detach_node() - [arm64,armhf] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE - ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl - [arm64,armhf] soc/tegra: Don't leak device tree node reference - [x86] iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID - media: adv*/tc358743/ths8200: fill in min width/height/pixelclock - f2fs: move dir data flush to write checkpoint process - f2fs: fix wrong return value of f2fs_acl_create - nfsd4: fix crash on writing v4_end_grace before nfsd startup - Thermal: do not clear passive state during system sleep - firmware/efi: Add NULL pointer checks in efivars API functions - [arm64] ftrace: don't adjust the LR value - [x86] fpu: Add might_fault() to user_insn() - smack: fix access permissions for keyring - usb: hub: delay hub autosuspend if USB3 port is still link training - timekeeping: Use proper seqcount initializer - [armhf] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks - [amd64] iommu/amd: Fix amd_iommu=force_isolation - [armhf] dts: Fix OMAP4430 SDP Ethernet startup - [mips*] bpf: fix encoding bug for mm_srlv32_op - [arm64,armhf] iommu/arm-smmu: Add support for qcom,smmu-v2 variant - [arm64] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer - udf: Fix BUG on corrupted inode - memstick: Prevent memstick host from getting runtime suspended during card detection - [armhf] tty: serial: samsung: Properly set flags in autoCTS mode - perf header: Fix unchecked usage of strncpy() - perf probe: Fix unchecked usage of strncpy() - [arm64] KVM: Skip MMIO insn after emulation - mac80211: fix radiotap vendor presence bitmap handling - xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi - Bluetooth: Fix unnecessary error message for HCI request completion - scsi: smartpqi: correct host serial num for ssa - scsi: smartpqi: correct volume status - drbd: narrow rcu_read_lock in drbd_sync_handshake - drbd: disconnect, if the wrong UUIDs are attached on a connected peer - drbd: skip spurious timeout (ping-timeo) when failing promote - fbdev: fbmem: behave better with small rotated displays and many CPUs - i40e: define proper net_device::neigh_priv_len - igb: Fix an issue that PME is not enabled during runtime suspend - fbdev: fbcon: Fix unregister crash when more than one framebuffer - [arm64] pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins - [arm64] pinctrl: meson: meson8b: fix the GPIO function for the GPIOAO pins - [x86] KVM: svm: report MSR_IA32_MCG_EXT_CTL as unsupported - NFS: nfs_compare_mount_options always compare auth flavors. - hwmon: (lm80) fix a missing check of the status of SMBus read - hwmon: (lm80) fix a missing check of bus read in lm80 probe - seq_buf: Make seq_buf_puts() null-terminate the buffer - cifs: check ntwrk_buf_start for NULL before dereferencing it - um: Avoid marking pages with "changed protection" - niu: fix missing checks of niu_pci_eeprom_read - f2fs: fix sbi->extent_list corruption issue - ocfs2: don't clear bh uptodate for block read - HID: lenovo: Add checks to fix of_led_classdev_register - kernel/hung_task.c: break RCU locks based on jiffies - proc/sysctl: fix return error for proc_doulongvec_minmax() - fs/epoll: drop ovflist branch prediction - exec: load_script: don't blindly truncate shebang string - dccp: fool proof ccid_hc_[rt]x_parse_options() - rxrpc: bad unlock balance in rxrpc_recvmsg - skge: potential memory corruption in skge_get_regs() - rds: fix refcount bug in rds_sock_addref - net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames - [armhf] net: dsa: slave: Don't propagate flag changes on down slave interfaces - enic: fix checksum validation for IPv6 - ALSA: compress: Fix stop handling on compressed capture streams - ALSA: hda - Serialize codec registrations - fuse: call pipe_buf_release() under pipe lock - fuse: decrement NR_WRITEBACK_TEMP on the right page - fuse: handle zero sized retrieve correctly - [arm64,armhf] dmaengine: bcm2835: Fix interrupt race on RT - [arm64,armhf] dmaengine: bcm2835: Fix abort of transactions - [armhf] dmaengine: imx-dma: fix wrong callback invoke - [armhf] usb: phy: am335x: fix race condition in _probe - [armhf] usb: gadget: musb: fix short isoc packets with inventra dma - scsi: aic94xx: fix module loading - [x86] KVM: work around leak of uninitialized stack contents (CVE-2019-7222) - kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) - [x86] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) - [x86] perf/x86/intel/uncore: Add Node ID mask - [x86] MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() - perf/core: Don't WARN() for impossible ring-buffer sizes - perf tests evsel-tp-sched: Fix bitwise operator - serial: fix race between flush_to_ldisc and tty_open - oom, oom_reaper: do not enqueue same task twice - [amd64] PCI: vmd: Free up IRQs on suspend path - [amd64] IB/hfi1: Add limit test for RC/UC send via loopback - [x86] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.157 - [armhf] mtd: rawnand: gpmi: fix MX28 bus master lockup problem - signal: Always notice exiting tasks - signal: Better detection of synchronous signals - [arm64,armhf] misc: vexpress: Off by one in vexpress_syscfg_exec() - debugfs: fix debugfs_rename parameter checking - [mips*] cm: reprime error cause - [mips*] OCTEON: don't set octeon_dma_bar_type if PCI is disabled - mac80211: ensure that mgmt tx skbs have tailroom for encryption - drm/modes: Prevent division by zero htotal - [x86] drm/vmwgfx: Fix setting of dma masks - [x86] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user - nfsd4: fix cached replies to solo SEQUENCE compounds - nfsd4: catch some false session retries - HID: debug: fix the ring buffer implementation (CVE-2019-3819) - Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)" - libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() - xfrm: refine validation of template and selector families - batman-adv: Avoid WARN on net_device without parent in netns - batman-adv: Force mac header to start of data on xmit https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.158 - Revert "exec: load_script: don't blindly truncate shebang string" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.159 - dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string - eeprom: at24: add support for 24c2048 - uapi/if_ether.h: prevent redefinition of struct ethhdr - [armel,armhf] 8789/1: signal: copy registers using __copy_to_user() - [armel,armhf] 8791/1: vfp: use __copy_to_user() when saving VFP state - [armel,armhf] 8793/1: signal: replace __put_user_error with __put_user - [armel,armhf] 8794/1: uaccess: Prevent speculative use of the current addr_limit - [armel,armhf] 8795/1: spectre-v1.1: use put_user() for __put_user() - [armel,armhf] 8796/1: spectre-v1,v1.1: provide helpers for address sanitization - [armel,armhf] 8797/1: spectre-v1.1: harden __copy_to_user - [armel,armhf] 8810/1: vfp: Fix wrong assignement to ufp_exc - [armel,armhf] make lookup_processor_type() non-__init - [armel,armhf] split out processor lookup - [armel,armhf] clean up per-processor check_bugs method call - [armel,armhf] add PROC_VTABLE and PROC_TABLE macros - [armel,armhf] spectre-v2: per-CPU vtables to work around big.Little systems - [armel,armhf] ensure that processor vtables is not lost after boot - [armel,armhf] fix the cockup in the previous patch - net: create skb_gso_validate_mac_len() (CVE-2018-1000026) - bnx2x: disable GSO where gso_size is too big for hardware (CVE-2018-1000026) - [i386] ACPI: NUMA: Use correct type for printing addresses on i386-PAE - cpufreq: check if policy is inactive early in __cpufreq_get() - [armel] dts: kirkwood: Fix polarity of GPIO fan lines - cifs: Limit memory used by lock request calls to a page - perf report: Include partial stacks unwound with libdw - Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" - Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK - perf/core: Fix impossible ring-buffer sizes warning - [x86] perf: Add check_period PMU callback - ALSA: hda - Add quirk for HP EliteBook 840 G5 - ALSA: usb-audio: Fix implicit fb endpoint setup by quirk - [x86] kvm: vmx: Fix entry number check for add_atomic_switch_msr() - Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 - [alpha] fix page fault handling for r16-r18 targets - [alpha] Fix Eiger NR_IRQS to 128 - tracing/uprobes: Fix output for multiple string arguments - signal: Restore the stop PTRACE_EVENT_EXIT - [amd64] x86/a.out: Clear the dump structure initially - dm thin: fix bug where bio that overwrites thin block ignores FUA - [x86] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set - smsc95xx: Use skb_cow_head to deal with cloned skbs - ch9200: use skb_cow_head() to deal with cloned skbs - kaweth: use skb_cow_head() to deal with cloned skbs - [arm64,armhf] usb: dwc2: Remove unnecessary kfree - netfilter: nf_tables: fix mismatch in big-endian system - [arm64] pinctrl: msm: fix gpio-hog related boot issues - mm: stop leaking PageTables - uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define - Revert "scsi: aic94xx: fix module loading" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.160 - net: fix IPv6 prefix route residue - [x86] vsock: cope with memory allocation failure at socket creation time - hwmon: (lm80) Fix missing unlock on error in set_fan_div() - net: Fix for_each_netdev_feature on Big endian - [arm64,armhf] net: stmmac: handle endianness in dwmac4_get_timestamp - sky2: Increase D3 delay again - vhost: correctly check the return value of translate_desc() in log_used() - net: Add header for usage of fls64() - tcp: tcp_v4_err() should be more careful - net: Do not allocate page fragments that are not skb aligned - tcp: clear icsk_backoff in tcp_write_queue_purge() - vxlan: test dev->flags & IFF_UP before calling netif_rx() - [arm64,armhf] net: stmmac: Fix a race in EEE enable callback - net: ipv4: use a dedicated counter for icmp_v4 redirect packets - btrfs: Remove false alert when fiemap range is smaller than on-disk extent - mISDN: fix a race in dev_expire_timer() - ax25: fix possible use-after-free https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.161 - mac80211: Free mpath object when rhashtable insertion fails - libceph: handle an empty authorize reply - ceph: avoid repeatedly adding inode to mdsc->snap_flush_list - numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES - proc, oom: do not report alien mms when setting oom_score_adj - KEYS: allow reaching the keys quotas exactly - [armhf] mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells - [armhf] mfd: twl-core: Fix section annotations on {,un}protect_pm_master - [arm64] mfd: qcom_rpm: write fw_version to CTRL_REG - [armhf] mfd: mc13xxx: Fix a missing check of a register-read failure - qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier - [arm64] net: hns: Fix use after free identified by SLUB debug - scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param - [x86] scsi: isci: initialize shost fully before calling scsi_add_host() - atm: he: fix sign-extension overflow on large shift - [armhf] leds: lp5523: fix a missing check of return value of lp55xx_read - net/mlx5e: Fix wrong (zero) TX drop counter indication for representor - RDMA/srp: Rework SCSI device reset handling - KEYS: user: Align the payload buffer - KEYS: always initialize keyring_index_key::desc_len - batman-adv: fix uninit-value in batadv_interface_tx() - net/packet: fix 4gb buffer limit due to overflow check - team: avoid complex list operations in team_nl_cmd_options_set() - sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() - sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment - net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames - [hppa/parisc] Fix ptrace syscall number modification - [x86] hpet: Make cmd parameter of hpet_ioctl_common() unsigned - clocksource: Use GENMASK_ULL in definition of CLOCKSOURCE_MASK - netpoll: Fix device name check in netpoll_setup() - tracing: Use cpumask_available() to check if cpumask variable may be used - [x86] boot: Disable the address-of-packed-member compiler warning - [x86] drm/i915: Consistently use enum pipe for PCH transcoders - [x86] drm/i915: Fix enum pipe vs. enum transcoder for the PCH transcoder - [arm64] irqchip/gic-v3: Convert arm64 GIC accessors to {read,write}_sysreg_s - mm/zsmalloc.c: change stat type parameter to int - mm/zsmalloc.c: fix -Wunneeded-internal-declaration warning - Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" - netfilter: nf_tables: fix flush after rule deletion in the same batch - [arm64] pinctrl: max77620: Use define directive for max77620_pinconf_param values - [arm64,armhf] phy: tegra: remove redundant self assignment of 'map' - sched/sysctl: Fix attributes of some extern declarations . [ Salvatore Bonaccorso ] * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in 4.9.145 * [rt] Update to 4.9.146-rt125 - seqlock: provide the same ordering semantics as mainline - squashfs: make use of local lock in multi_cpu decompressor - locallock: provide {get,put}_locked_ptr() variants - posix-timers: move the rcu head out of the union - alarmtimer: Prevent live lock in alarm_cancel() - block: blk-mq: move blk_queue_usage_counter_release() into process context - Revert "block: blk-mq: Use swait" - Revert "rt,ntp: Move call to schedule_delayed_work() to helper thread" - net: use task_struct instead of CPU number as the queue owner on -RT - locking: add types.h - mm/slub: close possible memory-leak in kmem_cache_alloc_bulk() - crypto: limit more FPU-enabled sections - sched, tracing: Fix trace_sched_pi_setprio() for deboosting - rcu: Suppress lockdep false-positive ->boost_mtx complaints - rcu: Do not include rtmutex_common.h unconditionally - rtmutex: Make rt_mutex_futex_unlock() safe for irq-off callsites - futex: Fix OWNER_DEAD fixup - futex: Avoid violating the 10th rule of futex - futex: Fix more put_pi_state() vs. exit_pi_state_list() races - futex: Fix pi_state->owner serialization * [rt] Refresh 0366-posix-timers-move-the-rcu-head-out-of-the-union.patch. Refresh for context changes caused by a Debian specific patch to avoid ABI change in 4.9.136: "posix-timers: Avoid ABI change in 4.9.136" * [rt] Refresh 0280-random-Make-it-work-on-rt.patch * [rt] Refresh 0198-fs-aio-simple-simple-work.patch for context changes in 4.9.147 * Btrfs: fix corruption reading shared and compressed extents after hole punching (Closes: #922306) . [ Ben Hutchings ] * Bump ABI to 9 and apply deferred changes: - netfilter: ipv6: nf_defrag: reduce struct net memory waste - proc/sysctl: prune stale dentries during unregistering - proc/sysctl: Don't grab i_lock under sysctl_lock. - proc: Fix proc_sys_prune_dcache to hold a sb reference - [mips*] Correct the 64-bit DSP accumulator register size - inet: frags: fix ip6frag_low_thresh boundary - inet: frags: reorganize struct netns_frags - rhashtable: reorganize struct rhashtable layout - inet: frags: break the 2GB limit for frags storage - elevator: fix truncation of icq_cache_name linux (4.9.144-3.1) stretch; urgency=high . * Non-maintainer upload. * Fix boot breakage on 32-bit arm (closes: #922478). Thanks to Adrian Bunk for spotting the mistake. linux-latest (80+deb9u7) stretch; urgency=medium . * Update to 4.9.0-9 mariadb-10.1 (10.1.38-0+deb9u1) stretch; urgency=medium . * SECURITY UPDATE: New upstream release 10.1.38. Includes fixes for the following security vulnerabilities (Closes: #920933): - CVE-2019-2537 - CVE-2019-2529 * Update correct branch name in gbp.conf * Disable test unit.pcre_test on s390x that was failing in stretch-security (Closes: #920854) * Limit build test suite to 'main' like in mariadb-10.3 to make unnecessary build failures less likely in lifetime of Stretch. * Fix mips compilation failure (__bss_start symbol missing) (Closes: #920855) * Extend the server README to clarify common misunderstandings (Closes: #878215) * Enable ccache in CMake path so it can be used automatically where available * Heavily refactor and unify gitlab-ci.yml MariaDB install/upgrade steps. This ensures uploads to Stretch are much more safer to do now than in the past. mariadb-10.1 (10.1.37-0+deb9u1) stretch-security; urgency=high . * SECURITY UPDATE: New upstream release 10.1.37. Includes fixes for the following security vulnerabilities (Closes: #912848); - CVE-2018-3282 - CVE-2018-3251 - CVE-2018-3174 - CVE-2018-3156 - CVE-2018-3143 - CVE-2016-9843 * Add (and rename) new man pages * Add Gitlab-CI definition file that can test each commit to this repository * Fix d/control metadata to match status for Debian Stretch * Physically remove patches no longer in series and not applied anyway * Fix wrong-path-for-interpreter in innotop script to make package Lintian error free as pass CI systems fully * Previous upstream version 10.1.35 included fixes for the following security vulnerabilities: - CVE-2018-3066 - CVE-2018-3064 - CVE-2018-3063 - CVE-2018-3058 * Previous upstream version 10.1.33 included fixes for the following security vulnerabilities: - CVE-2018-2819 - CVE-2018-2817 - CVE-2018-2813 - CVE-2018-2787 - CVE-2018-2784 - CVE-2018-2782 - CVE-2018-2781 - CVE-2018-2771 - CVE-2018-2767 - CVE-2018-2766 - CVE-2018-2761 - CVE-2018-2755 * Previous upstream version 10.1.31 included fixes for the following security vulnerabilities: - CVE-2018-2668 - CVE-2018-2665 - CVE-2018-2640 - CVE-2018-2622 - CVE-2018-2612 - CVE-2018-2562 * Revert "Update d/gbp.conf to track stretch branches" * New upstream version 10.1.30. Includes fixes for the following security vulnerabilities (Closes: #885345): - CVE-2017-15365 * Amend previous Debian changelog entries to contain new CVE identifiers * Refresh patches for MariaDB 10.1.30 and again for .34 * Delete unnecessary systemd files introduced by upstream * Add new files introduced by upstream to correct packages * Use list-missing instead of fail in d/rules so builds pass . [ Ondřej Surý ] * New upstream version 10.1.29. Includes fixes for the following security vulnerabilities: - CVE-2017-10378 - CVE-2017-10268 - MDEV-13819 * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix mytop * Add mips64el to the list of platforms that are allowed to fail test suite * Handle new and/or missing files * Ignore failed tests on more non-release platforms (kfreebsd-i386, kfreebsd-amd64 and sparc64) * Rebase patches for MariaDB 10.1.29 . [ Christian Ehrhardt ] * d/t/upstream: skip func_regexp_pcre on s390x . [ Vicentiu Ciorbaru ] * Fix Mroonga compilation failure on arm64 * Extend libmariadbclient-rename.patch to cover TokuDB as well * Disable disks.disks test mariadb-10.1 (10.1.29-1) unstable; urgency=medium . * New upstream version 10.1.29 * Remove the mariadb-test-* packages as they are now provided by mariadb-10.2 (Closes: #881898) * Rebase patches for new upstream version. mariadb-10.1 (10.1.28-2) unstable; urgency=high . * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix mytop (Closes: #875708) * Add mips64el to the list of platforms that are allowed to fail test suite (Closes: #879637) mariadb-10.1 (10.1.28-1) unstable; urgency=medium . * New upstream version 10.1.28 * Rebase patches on top of MariaDB 10.1.28 * Add extra symbols aliases for libmariadbclient_16 mariadb-10.1 (10.1.26-1) unstable; urgency=medium . * Ignore upstream debian/ directory when importing upstream tarball * New upstream version 10.1.26 * Refresh patches for MariaDB 10.1.26 * Remove unstable tests patches for unstable build, so we see what is really failing and what is not mosquitto (1.4.10-3+deb9u4) stretch-security; urgency=high . * Fix potential crash when reloading persistence file. (closes: #922071). mosquitto (1.4.10-3+deb9u3) stretch-security; urgency=high . * SECURITY UPDATE: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces more stringent parsing tests on the password file data. - CVE-2018-12551 * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures that if an ACL file is defined but no rules are defined, then access will be denied. - CVE-2018-12550 * SECURITY UPDATE: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option `check_retain_source` has been introduced to enforce checking of the retained message source on publish. - debian/patches/mosquitto-1.4.9-1.4.14-cve-2018-12546.patch: this patch stores the originator of the retained message, so security checking can be carried out before re-publishing. The complexity of the patch is due to the need to save this information across broker restarts. - CVE-2018-12546 mumble (1.2.18-1+deb9u1) stretch-security; urgency=high . * debian/patches: - Add 60-fix-message-flood.diff to fix instability and crash due to message flooding Thanks to "the zombi community" for finding the bug, committing a fix upstream, and contacting me to fix the issue in Debian - Add 61-configurable-rate-limit.diff to make message rate limit configurable ncmpc (0.25-0.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix CVE-2018-9240 (Closes: #894724) neutron (2:9.1.1-3+deb9u1) stretch-security; urgency=medium . * CVE-2019-9735: it's possible to add a security group rule for VRRP with a dport. Apply upstream patch: When converting sg rules to iptables, do not emit dport if not supported. (Closes: #924508). node-superagent (0.20.0+dfsg-1+deb9u2) stretch; urgency=medium . * Fix incompatible instruction in CVE-2017-16129 patch node-superagent (0.20.0+dfsg-1+deb9u1) stretch; urgency=medium . * Team upload * Add patch to fix ZIP bomb attacks (Closes: CVE-2017-16129) ntfs-3g (1:2016.2.22AR.1+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix heap-based buffer overflow (CVE-2019-9755) nvidia-graphics-drivers (390.116-1) stretch; urgency=medium . * New upstream legacy branch release 390.116 (2019-02-22). * Fixed CVE‑2018‑6260. (Closes: #913467) https://nvidia.custhelp.com/app/answers/detail/a_id/4772 - Fixed build failures which resulted in errors like "implicit declaration of function drm_...", when building the NVIDIA DRM kernel module for Linux kernel 5.0 release candidates. - Fixed a bug which could cause VK_KHR_external_semaphore_fd operations to fail. - Fixed a build failure, "implicit declaration of function 'vm_insert_pfn'", when building the NVIDIA DRM kernel module for Linux kernel 4.20 release candidates. - Fixed a build failure, "unknown type name 'ipmi_user_t'", when building the NVIDIA kernel module for Linux kernel 4.20 release candidates. - Fixed a bug that caused mode switches to fail when an SDI output board was connected. - Fixed a bug that could cause rendering corruption in Vulkan programs. - Fixed a bug that caused vkGetPhysicalDeviceDisplayPropertiesKHR() to occasionally return incorrect values for physicalResolution. * New upstream legacy branch release 340 series. - Fixed a build failure, "too many arguments to function 'get_user_pages'", when building the NVIDIA kernel module for Linux kernel v4.4.168. - Fixed a build failure, "implicit declaration of function do_gettimeofday", when building the NVIDIA kernel module for Linux kernel 5.0 release candidates. - Added a new kernel module parameter, NVreg_RestrictProfilingToAdminUsers, to allow restricting the use of GPU performance counters to system administrators only. . [ Luca Boccassi ] * Drop kmem_cache_create_usercopy.patch, drm-mode.patch, ipmi-user.patch, vm-insert-pfn.patch: fixed upstream. * Update symbols files. . [ Andreas Beckmann ] * nvidia-detect: stretch now has a 390.xx driver. * nvidia-kernel-source: Bump debhelper dependency to match Build-Depends. * Upload to stretch. nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. nvidia-settings (390.116-1) stretch; urgency=medium . * New upstream release 390.116. - Added the synchronization state for PRIME Displays to nvidia-settings. - Fixed a bug that could prevent nvidia-xconfig from disabling the X Composite extension on version 1.20 of the X.org X server. * Upload to stretch. nvidia-settings (390.87-2) unstable; urgency=medium . * Drop versioned constraints that are satisfied in wheezy. * Switch to debhelper-compat (= 12). nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. obs-build (20160921-1+deb9u1) stretch; urgency=medium . * CVE-2017-14804 (Closes: #887306) - Improve extractbuild to avoid write to files in the host system. - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new openjdk-8 (8u212-b01-1~deb9u1) stretch-security; urgency=medium . * Rebuild for stretch openjdk-8 (8u202-b26-3) unstable; urgency=medium . * Fix the 8u202 merge for aarch32, not using SA. openjdk-8 (8u202-b26-2) unstable; urgency=medium . * Fix builds using the aarch32 hotspot version. openjdk-8 (8u202-b26-1) unstable; urgency=high . * Update to 8u202-b26. * Security fixes: - CVE-2019-2422, S8206290: Better FileChannel transfer performance. - CVE-2019-2426, S8209094: Improve web server connections. - S8199156: Better route routing. - S8199552: Update to build scripts. - S8200659: Improve BigDecimal support. - S8203955: Improve robot support. - S8204895: Better icon support. - S8205709: Proper allocation handling. - S8205714: Initial class initialization. - S8210094: Better loading of classloader classes. - S8210606: Improved data set handling. - S8210866: Improve JPEG processing. . [ Tiago Stürmer Daitx ] * Update DEP8 tests: - debian/tests/control: updated to allow stderr output and to remove dpkg-dev dependency. - debian/tests/jtdiff-autopkgtest.sh: use dpkg --print-architecture instead of dpkg-architecture; log script name on any output. - debian/tests/jtreg-autopkgtest.in: use dpkg --print-architecture instead of dpkg-architecture; do not retain test temporary files; log script name on any output. - debian/tests/jtreg-autopkgtest.sh: regenerated. openjdk-8 (8u191-b12-2) unstable; urgency=high . * Upload to unstable. * Remove the "Team upload" for the last upload to experimental. openjdk-8 (8u191-b12-1) experimental; urgency=medium . * Team upload * Update to 8u191-b12. (Closes: #911925, Closes: #912333, LP: #1800792) * debian/excludelist.jdk.jtx: no longer needed, using ProblemsList.txt from upstream now. * debian/excludelist.langtools.jtx: upstream testing does not use any exclusion list. * debian/patches/sec-webrev-8u191-b12*: removed, applied upstream. * debian/patches/jdk-8132985-backport-double-free.patch, debian/patches/jdk-8139803-backport-warning.patch: fix crash in freetypescaler due to double free, thanks to Heikki Aitakangas for the report and patches. (Closes: #911847) * debian/rules: - tar and save JTreport directory. - run the same limited set of tests as upstream does. - call the same testsuites scripts used for autopkgtest. - reenable jdk testsuite. - simplified and moved xvfb logic into check-jdk rule. - removed jtreg and xvfb build dependency logic and moved the bdeps into debian/control.in. - added rules to generate autopkgtest scripts from templates. * updated dep8 tests: - debian/test/control: run hotspot, langtools, and jdk testsuites. - debian/tests/hotspot, debian/tests/jdk, debian/tests/langtools: add scripts for each testsuite to be run. - debian/tests/jtreg-autopkgtest.sh: template to generate the jtreg script used by the autopkgtest tests. - debian/tests/jtdiff-autopkgtest.sh: used by the scripts to report any differences between the autopkgtest and the tests results generated during the openjdk package build. - debian/tests/jtreg-autopkgtest.sh: used by the scripts to run jtreg and put the resulting artifacts in the right places. - debian/tests/valid-tests: removed, no longer needed. openjdk-8 (8u181-b13-2) unstable; urgency=high . [ Tiago Stürmer Daitx ] * Apply patches from 8u191-b12 security update. - CVE-2018-3136, S8194534: Manifest better support. - CVE-2018-3139, S8196902: Better HTTP Redirection. - CVE-2018-3149, S8199177: Enhance JNDI lookups. - CVE-2018-3169, S8199226: Improve field accesses. - CVE-2018-3180, S8202613: Improve TLS connections stability. - CVE-2018-3183, S8202936: Improve script engine support. - CVE-2018-3214, S8205361: Better RIFF reading support. - CVE-2018-3211: Unspecified vulnerability in the Serviceability component. - S8195868: Address Internet Addresses. - S8195874: Improve jar specification adherence. - S8201756: Improve cipher inputs. - S8203654: Improve cypher state updates. - S8204497: Better formatting of decimals. * debian/patches/jdk-freetypeScaler-crash.diff: removed as this patch causes a memory leak; upstream fixed it in openjdk-7, albeit in a different way. Closes: #910672. . [ Matthias Klose ] * Bump standards version. openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium . * Non-maintainer upload by the Security Team. * CVE-2018-14423: Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873). * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks (closes: #889683). * CVE-2017-17480: Write stack buffer overflow due to missing buffer length formatter in fscanf call (closes: #884738). * CVE-2018-18088: Null pointer dereference caused by null image components in imagetopnm (closes: #910763). * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533). openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply upstream patch to make scp handle shell-style brace expansions when checking that filenames sent by the server match what the client requested (closes: #923486). openssl1.0 (1.0.2r-1~deb9u1) stretch-security; urgency=medium . [ Kurt Roeckx ] * New upstream version - Fixes CVE-2019-1559 . [ Sebastian Andrzej Siewior ] * Use openssl.cnf from the build directory for the testsuite. openssl1.0 (1.0.2q-2) unstable; urgency=medium . * User openssl.cnf from the build directory for the testsuite. openssl1.0 (1.0.2q-1) unstable; urgency=medium . * Correct typo in the riscv64 target (Closes: #891799). * Update to policy 4.1.4 - drop Priority: important. - use signing-key.asc and a https links for downloads. - point the VCS-* to salsa. * Import upstream version 1.0.2q - CVE-2018-5407 (Microarchitecture timing vulnerability in ECC scalar multiplication) - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) (Closes: #895845) passenger (5.0.30-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * arbitrary file read via REVISION symlink (CVE-2017-16355) (Closes: #884463) * Fix privilege escalation in the Nginx module (CVE-2018-12029) (Closes: #921767) pdns (4.0.3-1+deb9u4) stretch-security; urgency=medium . * Insufficient validation in the HTTP remote backend (CVE-2019-3871) Thanks to Salvatore Bonaccorso (Closes: #924966) perlbrew (0.78-1+deb9u1) stretch; urgency=medium . * Backport upstream fix for CPAN URLs. CPAN URLs have changed to use HTTPS, which makes perlbrew fail to detect perl tarballs. This patch changes the regexp to allow both HTTP and HTTPS. (Closes: #927065) php7.0 (7.0.33-0+deb9u3) stretch-security; urgency=medium . * Pull security fixes from https://github.com/Microsoft/php-src, a shared effort by Remi Collet and Anatol Belski to keep up with security issues in PHP 5.6.40 after EOL. * Security Issues Fixed: + Core: - Fixed bug #77630 (rename() across the device may allow unwanted access during processing). + EXIF: - Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). - Fixed bug #77540 (Invalid Read on exif_process_SOFn). - Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). - Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). + PHAR: - Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). - Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). + SPL: - Fixed bug #77431 (openFile() silently truncates after a null byte). php7.0 (7.0.33-0+deb9u2) stretch-security; urgency=medium . * CVE-2019-9020 * CVE-2019-9021 * CVE-2019-9022 (plus backport for CAA support) * CVE-2019-9023 * CVE-2019-9024 postfix (3.1.12-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Add detailed smarthost instructions to README.Debian. Thanks to Celejar for the input. Closes: #919444 * Refresh patches . [Wietse Venema] . * 3.1.10 - Bugfix (introduced: Postfix 2.11): minor memory leak when minting issuer certs. This affects a tiny minority of use cases. Viktor Dukhovni, based on a fix by Juan Altmayer Pizzorno for the ssl_dane library. File: tls/tls_dane.c. - Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, table lookups could casefold the search string when searching a lookup table that does not use fixed-string keys (regexp, pcre, tcp, etc.). Historically, Postfix would not case-fold the search string with such tables. File: util/dict_utf8.c. Closes: #917512 - Multiple 'bit rot' fixes for OpenSSL API changes, including support to disable TLSv1.3, to avoid issuing multiple session tickets. Viktor Dukhovni. Files: proto/postconf.proto, proto/TLS_README.html, tls/tls.h, tls/tls_server.c, tls/tls_misc.c. - Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could not disable "SMTPUTF8". because the lookup table was using "EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c. - Documentation: update documentation for Postfix versions that support disabling TLS 1.3. File: proto/postconf.proto. - Improved logging of TLS 1.3 summary information, and improved reporting of the same info in Received: message headers. Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html, posttls-finger/posttls-finger.c, smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h, tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c, tls/tls_server.c. * 3.1.11 - Bugfix (introduced: postfix-2.11): with posttls-finger, connections to unix-domain servers always resulted in "Failed to establish session" even after a connection was established. Jaroslav Skarva. File: posttls-finger/posttls-finger.c. * 3.1.12 - Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce has been producing false rejects starting with the Postfix 2.2 smtpd_end_of_data_restrictons, and for the same reasons, did the same with the Postfix 3.4 BDAT command. The latter was reported by Andreas Schulze. File: smtpd/smtpd_check.c. - Bugfix (introduced: Postfix 3.0): LMTP connections over UNIX-domain sockets were cached but not reused, due to a cache lookup key mismatch. Therefore, idle cached connections could exhaust LMTP server resources, resulting in two-second pauses between email deliveries. This problem was investigated by Juliana Rodrigueiro. File: smtp/smtp_connect.c. postgresql-9.6 (9.6.12-0+deb9u1) stretch; urgency=medium . * New upstream version. * Revert upstream patch "Disallow setting client_min_messages higher than ERROR", it causes to much disruption to existing (test) scripts. psk31lx (2.1-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Make the version of the binary package 2.1+2.2really2.1-1+deb9u1 s.t. this sorts after the package in lenny (2.1+2.2beta1-8, built from src:twpsk) and before the the package in buster (2.2-1). (Closes: #911780) publicsuffix (20190415.1030-0+deb9u1) stretch; urgency=medium . * new upstream publicsuffix data publicsuffix (20190329.0756-1) unstable; urgency=medium . * new upstream version publicsuffix (20190221.0923-1) unstable; urgency=medium . * new upstream version publicsuffix (20190221.0923-0+deb9u1) stretch; urgency=medium . * new upstream publicsuffix data publicsuffix (20190128.1516-1) unstable; urgency=medium . * new upstream version publicsuffix (20181227.1630-1) unstable; urgency=medium . * new upstream version publicsuffix (20181108.2228-1) unstable; urgency=medium . * new upstream version publicsuffix (20181030.1007-1) unstable; urgency=medium . * new upstream version publicsuffix (20181003.1334-3) unstable; urgency=medium . * correct name of diff package for autopkgtest publicsuffix (20181003.1334-2) unstable; urgency=medium . * Standards-Version: bump to 4.2.1 (no changes needed) * add debian/watch to look at git, despite #910762 * added simple autopkgtest (borrowed from libpsl) publicsuffix (20181003.1334-1) unstable; urgency=medium . * new upstream version putty (0.67-3+deb9u1) stretch-security; urgency=high . * Backport security fixes from 0.71: - In random_add_noise, put the hashed noise into the pool, not the raw noise. - New facility for removing pending toplevel callbacks. - CVE-2019-9898: Fix one-byte buffer overrun in random_add_noise(). - uxnet: clean up callbacks when closing a NetSocket. - sk_tcp_close: fix memory leak of output bufchain. - Fix handling of bad RSA key with n=p=q=0. - Sanity-check the 'Public-Lines' field in ppk files. - Introduce an enum of the uxsel / select_result flags. - CVE-2019-9895: Switch to using poll(2) in place of select(2). - CVE-2019-9894: RSA kex: enforce the minimum key length. - CVE-2019-9897: Fix crash on ESC#6 + combining chars + GTK + odd-width terminal. - CVE-2019-9897: Limit the number of combining chars per terminal cell. - minibidi: fix read past end of line in rule W5. - CVE-2019-9897: Fix crash printing a width-2 char in a width-1 terminal. pyca (20031119-0.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . pyca (20031119-0.1) unstable; urgency=medium . * Non-maintainer upload. * Add 'missingok' to logrotate config. (Closes: #914836) * Add dummy binary-arch target. python-certbot (0.28.0-1~deb9u2) stretch; urgency=high . * The previous stable update incorrectly disabled systemd timer due to a change in debhelper compat version. This release drops the compat level back to debhelper 9, thus forcing a restart of the systemd timer. (Closes: #922031) . The behavior of dh_systemd_start changed between compat v9 and compat v10; in v9, timers were stopped in postrm and started in postinst, but in v10 timers were only started in postinst if they were running. Switching back to v9 will unilaterally start the timer in postinst once more. * Fix an FTBFS due to sbuild not considering or'ed dependencies. (Closes: #922543) python-cryptography (1.7.1-3+deb9u1) stretch; urgency=medium . * Remove BIO_callback_ctrl: The prototype differs with the OpenSSL's definition of it after it was changed (fixed) within OpenSSL. It has no users. python-django-casclient (1.2.0-2+deb9u1) stretch; urgency=medium . [ William Blough ] * Team upload * Apply django 1.10 middleware fix from upstream (Closes: #926350) . [ Adrian Bunk ] * python-django-casclient: Add the missing dependency on python-django. (Closes: #896317) * python3-django-casclient: Add the missing dependency on python3-django. (Closes: #896404) python-mode (1:6.2.3-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload * Rebuild for stretch. . python-mode (1:6.2.3-1.1) unstable; urgency=medium . * Non-maintainer upload * Drop xemacs21 support (Closes: #909383, #680578, #837991) python-pip (9.0.1-2+deb9u1) stretch; urgency=medium . * Team upload. * Add Properly_catch_requests_HTTPError_in_index.py.patch, which fixes --extra-index-url results in "HTTPError: 404 Client Error: NOT FOUND". The patch makes works even with the unbundled requests. (Closes: #837764). python-pykmip (0.5.0-4+deb9u1) stretch; urgency=medium . * CVE-2018-1000872: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. Applied upstream patch: Fix a denial-of-service bug by setting the server socket timeout (Closes: #917030). qtbase-opensource-src (5.7.1+dfsg-3+deb9u1) stretch-security; urgency=medium . * Backport fixes for: - CVE-2018-15518: “double free or corruption” in QXmlStreamReader - CVE-2018-19873: QBmpHandler segfault on malformed BMP file - CVE-2018-19870: Check for QImage allocation failure in qgifhandler * Backport ensure_pixel_density_of_at_least_1.patch in order to fix VLC after it's security update (Closes: #907139). r-cran-igraph (1.0.1-1+deb9u1) stretch; urgency=medium . * Add upstream patch to fix: CVE-2018-20349 (Closes: #917212). rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium . * CVE-2018-16476 (Closes: #914847) * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520) rdesktop (1.8.4-1~deb9u1) stretch-security; urgency=medium . * Security backport for Stretch. * Relax debhelper build dependency. * Relax Standards-Version to 3.9.8 . rssh (2.3.4-5+deb9u4) stretch-security; urgency=high . * The fix for the scp security vulnerability in 2.3.4-9 combined with the regression fix in 2.3.4-10 rejected the -pf and -pt options, which are sent by libssh2's scp support. Add support for those variants. (LP #1815935) rsync (3.1.2-1+deb9u2) stretch; urgency=medium . * Apply CVEs from 2016 to the zlib code. closes:#924509 ruby-i18n (0.7.0-2+deb9u1) stretch; urgency=medium . * CVE-2014-10077: Prevent a remote denial-of-service vulnerability via an application crash by engineering a situation where `:some_key` is present in `keep_keys` but not present in the hash. (Closes: #913093) ruby2.3 (2.3.3-1+deb9u6) stretch-security; urgency=medium . * CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324 * CVE-2019-8325 ruby2.3 (2.3.3-1+deb9u5) stretch; urgency=medium . * Backport upstream patches to fix FTBFS due to expired SSL certificate and timezone changes (Closes: #919999) - imap: update test certificate - timezone changes for Japan and Kiritimati * test/ruby/test_gc.rb: skip entirely; some tests in there can fail unpredictably on buildds (Closes: #912740) ruby2.3 (2.3.3-1+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395) * pack.c: avoid returning uninitialized String * Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396) ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium . [ Santiago R.R. ] * Fix Command injection vulnerability in Net::FTP. [CVE-2017-17405] * webrick: use IO.copy_stream for multipart response. Required changes in WEBrick to fix CVE-2017-17742 and CVE-2018-8777 * Fix HTTP response splitting in WEBrick. [CVE-2017-17742] * Fix Command Injection in Hosts::new() by use of Kernel#open. [CVE-2017-17790] * Fix Unintentional directory traversal by poisoned NUL byte in Dir [CVE-2018-8780] * Fix multiple vulnerabilities in RubyGems. CVE-2018-1000073: Prevent Path Traversal issue during gem installation. CVE-2018-1000074: Fix possible Unsafe Object Deserialization Vulnerability in gem owner. CVE-2018-1000075: Strictly interpret octal fields in tar headers. CVE-2018-1000076: Raise a security error when there are duplicate files in a package. CVE-2018-1000077: Enforce URL validation on spec homepage attribute. CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. CVE-2018-1000079: Prevent path traversal when writing to a symlinked basedir outside of the root. * Fix directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library [CVE-2018-6914] * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket [CVE-2018-8779] * Fix Buffer under-read in String#unpack [CVE-2018-8778] * Fix tests to cope with updates in tzdata (Closes: #889117) * Exclude Rinda TestRingFinger and TestRingServer test units requiring network access (Closes: #898694) . [ Antonio Terceiro ] * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to assumptions that don't hold on newer tzdata update. Upstream bug: https://bugs.ruby-lang.org/issues/14655 runc (0.1.1+dfsg1-2+deb9u1) stretch; urgency=medium . * Team upload. * Add patch to address CVE-2019-5736 (Closes: #922050) samba (2:4.5.16+dfsg-1+deb9u1) stretch-security; urgency=high . * This is a security release in order to address the following defect: - CVE-2019-3880 Save registry file outside share as unprivileged user spip (3.1.4-4~deb9u2) stretch-security; urgency=medium . * Update security screen to 1.3.11 * Backport security fix from 3.1.10 - Arbitrary code execution for any identified visitor (Closes: #926764) systemd (232-25+deb9u11) stretch-security; urgency=high . * pam-systemd: use secure_getenv() rather than getenv() Fixes a vulnerability in the systemd PAM module which insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. (CVE-2019-3842) systemd (232-25+deb9u10) stretch; urgency=medium . * journald: fix assertion failure on journal_file_link_data (Closes: #916880) * tmpfiles: fix "e" to support shell style globs (Closes: #918400) * mount-util: accept that name_to_handle_at() might fail with EPERM. Container managers frequently block name_to_handle_at(), returning EACCES or EPERM when this is issued. Accept that, and simply fall back to fdinfo-based checks. (Closes: #917122) * automount: ack automount requests even when already mounted. Fixes a race condition in systemd which could result in automount requests not being serviced and processes using them to hang, causing denial of service. (CVE-2018-1049) * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) Fixes improper serialization on upgrade which can influence systemd execution environment and lead to root privilege escalation. (CVE-2018-15686, Closes: #912005) systemd (232-25+deb9u9) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Refuse dbus message paths longer than BUS_PATH_SIZE_MAX limit (CVE-2019-6454) * Allocate temporary strings to hold dbus paths on the heap (CVE-2019-6454) * sd-bus: if we receive an invalid dbus message, ignore and proceeed (CVE-2019-6454) thunderbird (1:60.6.1-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.5.1-1) unstable; urgency=medium . [ Alexander Nitsch ] * [c9775d4] Make the logo SVG square The original SVG source isn't completely square, modifying the SVG file so all generated other files from the input are also exactly square. * [6096812] Add script for generating PNGs from logo SVG * [4e9e5cc] Update icon PNGs to be properly scaled . [ Carsten Schoenert ] * [9e5527d] d/source.filter: add some configure scripts Filter out some files that are named 'configure', they are rebuild later anyway. The filtering of these files is moved from gbp.conf to source.filter. * [b63f2a2] Revert "d/gbp.conf: ignore configure script while importing" Reverting this commit as we need to move the files to filter to source.filter as the behaviour wasn't the expected outcome. * [4965c2a] New upstream version 60.5.1 Fixed CVE issues in upstream version 60.5.0 (MFSA 2019-06) CVE-2018-18356: Use-after-free in Skia CVE-2019-5785: Integer overflow in Skia CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D CVE-2018-18509: S/MIME signature spoofing thunderbird (1:60.5.1-1~deb9u1) stretch-security; urgency=medium . [ Carsten Schoenert ] * Rebuild for stretch-security thunderbird (1:60.5.0-3) unstable; urgency=medium . * [3e274d8] d/rules: move disable debug option into configure step Adding the option '--disable-debug-symbols' to the file mozconfig.default in case the build is running on a 32bit architecture instead of expanding the variable 'CONFIGURE_FLAGS'. The configuration approach for this option taken from firefox-esr was not working for the thunderbird package. * [b3d82d3] d/rules: reorder LDFLAGS for better readability Make the used additional options for LDFLAGS better readable by reordering the various used options. Also adding the option '-Wl, --as-needed' to the list of used options here. * [62d11e3] d/rules: use 'compress-debug-sections' only on 64bit Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets use this option only if we are on a 64bit architecture as otherwise the build is failing on 32bit architectures again. We don't want to build any debug information on 32bit anyway so we don't need this option on these platforms. * [6225c44] d/mozconfig.default: adding option for mipsel We don't have set up any options for the mipsel platform before, but the build needs some additional options too on this platform to succeed. * [4e348d9] d/mozconfig.default: disable ion on mips and mipsel The build will fail on mips{,el} if we have enabled ION, the JaveScript JIT compiler on these platforms will loose some performance by this. thunderbird (1:60.5.0-2) unstable; urgency=medium . * [aa2dbe3] d/changelog: update MFSA information for 60.5.0 The MFSA gut published shortly after the upload of the previous version. Adding the CVE numbers for MFSA 2019-03 to the changelog accordingly like happen for 1:60.4.0-1 too. * [71807dc] rebuild patch queue from patch-queue branch Due greater changes to the source the previous rebuild and refreshing of the patch queue wasn't correctly nor complete. Some more rework was needed and some patches got cherry-picked from firefox-esr. readded patches (not included upstream): porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch cherry-picked from firefox-esr: fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch removed patches (included upstream): porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch * [eaa065b] apparmor: update profile from upstream (commit 7ace41b1) * [c761425] d/rules: make dh_clean more robust Remove some regenerated files in dh_clean to the build will not fail in case the buils needs to be started twice within the same build environment. * [aa7b033] d/gbp.conf: ignore configure script while importing The shipped scripts '*configure' in the toplevel folder and also in js/src aren't needed and we can them filter out while importing the tarballs. These scripts got (re)created by dh_auto_configure nevertheless. * [9f0acb2] d/rules: tweek LDFLAGS more to reduce RAM usage Reduce RAM usage while linking by using compressed sections. (picked from firefox-esr) * [62f195d] d/rules: Don't build debug symbols on non 64bit platforms Reduce even more RAM usage while linking by don't build debugging symbols if we build on non 64bit architectures. (picked from firefox-esr) thunderbird (1:60.5.0-1) unstable; urgency=medium . * d/source.filter: update filter list Updating the list of files to filter out while repacking the upstream tarball based on recent work done in debian/experimental. Unfortunately a lot of semi minimized *.js files from the original upstream tarball are later needed within some integrated consoles like the AddOn debugger or the error console. Don't filter out such files for now. (Closes: #911198) * [edab34d] d/changelog: update MFSA information for 60.4.0 While releasing and uploading the Debian version 1:60.4.0-1 no MFSA information was available, adding this information now into the changelog entry for 1:60.4.0-1. * [f3f44a3] New upstream version 60.5.0 No dedicated MFSA announcement for this Thunderbird version provided. * [ccac089] rebuild patch queue from patch-queue branch removed patches (included upstream): porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch removed patches (dropped by us): debian-hacks/Don-t-build-testing-suites-and-stuff.patch debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch refreshed patches: debian-hacks/Add-another-preferences-directory-for-applications-p.patch porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch porting-m68k/Add-m68k-support-to-Thunderbird.patch porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch * [43c28c2] d/s/lintian-overrides: more files to ignore Related to [4201f43] the override list for the source needs to be adjusted as we have now more files included there Lintian is complaining about missing source. These files are no 'real' minimized JS files, but the have mostly some long lines that are triggered the Lintian check. thunderbird (1:60.4.0-1) unstable; urgency=medium . * [2e5a9d0] d/control: don't hard code LLVM packages in B-D (Closes: #912797) * [3aaa4a6] New upstream version 60.4.0 No MFSA published yet by Mozilla Security while packaging this version. (Closes: #913645) * [12d3be3] debian/control: increase Standards-Version to 4.3.0 No further changes needed. tryton-server (4.2.1-2+deb9u1) stretch-security; urgency=high . * Include patches for CVE-2019-10868. * Add 03_sec_issue7766_check_read_access_in_search_domain.patch. This patch fixes security issue http://bugs.tryton.org/issue7766: Check read access on field in search domain. It is possible for an authenticated user to guess the value of a field for which he has no access right no matter if it is at the model or the field level. The procedure is to make dichotomous search queries on the model using a domain clause on the field equals value until the search returns the id. See also https://discuss.tryton.org/t/security-release-for-issue7766/ . * Add 04_sec_issue8189_check_read_access_on_search_order.patch. This patch fixes security issue http://bugs.tryton.org/issue8189: Check read access on field in search_order. An authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. See also https://discuss.tryton.org/t/security-release-for-issue8189/ twig (1.24.0-2+deb9u1) stretch-security; urgency=medium . * Team upload * Stick to v1 for stretch * Backport fix from 1.38: security issue in the sandbox [CVE-2019-9942] twitter-bootstrap3 (3.3.7+dfsg-2+deb9u2) stretch; urgency=medium . * Add patch to fix CVE-2019-8331: XSS in tooltip or popover tzdata (2019a-0+deb9u1) stretch; urgency=medium . * New upstream version, affecting the following past and future timestamps: - Palestine will not start DST until 2019-03-30, instead of 2019-03-23 as previously predicted. - Metlakatla ended its observance of Pacific standard time, rejoining Alaska Time, on 2019-01-20 at 02:00. tzdata (2018i-2) unstable; urgency=medium . * Update German debconf translation, by Holger Wansing. Closes: #918455. * Update Dutch debconf translation, by Frans Spiesschaert. Closes: #920427. * Update Russian debconf translation, by Lev Lamberov. Closes: #920598. * Update Danish debconf translation, by Joe Hansen. Closes: #923061. tzdata (2018i-1) unstable; urgency=high . * New upstream version, affecting the following future timestamps: - São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. unzip (6.0-21+deb9u1) stretch; urgency=medium . * Fix buffer overflow in password protected ZIP archives. Closes: #889838. Patch borrowed from SUSE. For reference, this is CVE-2018-1000035. vcftools (0.1.14+dfsg-4+deb9u1) stretch; urgency=medium . * Team upload. * Add patch from upstream to fix CVE-2018-11099, CVE-2018-11129 and CVE-2018-11130 (Closes: #902190). vips (8.4.5-1+deb9u1) stretch; urgency=medium . * Fix CVE-2018-7998: NULL function pointer dereference vulnerability in the vips_region_generate() function. * Fix CVE-2019-6976: zero memory on malloc to prevent write of uninit memory under some error conditions. waagent (2.2.34-3~deb9u1) stretch; urgency=medium . * Upload to stretch. waagent (2.2.34-2) unstable; urgency=medium . * Disable all tests, they need a real system. (closes: #918943) waagent (2.2.34-1) unstable; urgency=medium . * New upstream version. waagent (2.2.26-1) unstable; urgency=medium . * New upstream version. * Update Vcs entries to point to salsa.debian.org. * Disable agent auto update. (closes: #887704) waagent (2.2.18-3) unstable; urgency=medium . * Move udev rules to /lib/udev. (closes: #856065) * Set priority to optional. waagent (2.2.18-3~deb9u2) stretch-security; urgency=high . * Set proper access rights on swap file. CVE-2019-0804 wget (1.18-5+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix a buffer overflow vulnerability (CVE-2019-5953) (Closes: #926389) wireshark (2.6.7-1~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch(-security). wireshark (2.6.6-1) unstable; urgency=medium . [ Jean-Philippe MENGUAL ] * French debconf translation update (Closes: #915161) . [ Balint Reczey ] * New upstream version 2.6.6 - security fixes: - The P_MUL dissector could crash. (CVE-2019-5717) - The RTSE dissector and other dissectors could crash. (CVE-2019-5718) - The ISAKMP dissector could crash. (CVE-2019-5719) - The 6LoWPAN dissector could crash. (CVE-2019-5716) * Mention GPLv3+ code snippet in tools/pidl/idl.yp (Closes: #918089) wireshark (2.6.5-1) unstable; urgency=medium . * Add debian/gitlab-ci.yml * New upstream version 2.6.5 - release notes: https://www.wireshark.org/docs/relnotes/wireshark-2.6.5.html - security fixes: - The Wireshark dissection engine could crash. (CVE-2018-19625) - The DCOM dissector could crash. (CVE-2018-19626) - The LBMPDM dissector could crash. (CVE-2018-19623) - The MMSE dissector could go into an infinite loop. (CVE-2018-19622) - The IxVeriWave file parser could crash. (CVE-2018-19627) - The PVFS dissector could crash. (CVE-2018-19624) - The ZigBee ZCL dissector could crash. (CVE-2018-19628) * Update symbols wordpress (4.7.5+dfsg-2+deb9u5) stretch-security; urgency=medium . * Backport security patches from wordpress 5.0.1 Closes: #916403 - CVE-2018-20147 Delete files through altered meta data - CVE-2018-20152 Create posts of unauthorized post types - CVE-2018-20148 PHP object injection through crafted meta data - CVE-2018-20153 Edit other users comments, leading to XSS - CVE-2018-20150 XSS in plugins through crafted URL inputs - CVE-2018-20151 User activation screen visible to search engines - CVE-2018-20149 Bypass MIME verification causing XSS - CVE-2019-8942 Remote Code Execution (RCE) in uploaded image files wpa (2:2.4-1+deb9u3) stretch-security; urgency=high . * Apply a partial security fix for CVE-2019-9495: - OpenSSL: Use constant time operations for private bignums. - See https://w1.fi/security/2019-2/ for more details. * Apply security fixes: - EAP-pwd server: Detect reflection attacks (CVE-2019-9497) - EAP-pwd client: Verify received scalar and element (partial fix for CVE-2019-9498) - EAP-pwd server: Verify received scalar and element (partial fix for CVE-2019-9499) - See https://w1.fi/security/2019-4/ for more details. * Add an upstream patch to add crypto_ec_point_cmp() required by the fixes for CVE-2019-9497. * Forcefully enable compilation of the ECC code. . wpa (2:2.4-1+deb9u2) stretch; urgency=high . * SECURITY UPDATE: - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data (Closes: #905739) xmltooling (1.6.0-4+deb9u2) stretch-security; urgency=high . * [2f0c065] New patch fixing CVE-2019-9628: uncaught exception on malformed XML declaration. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. https://shibboleth.net/community/advisories/secadv_20190311.txt https://issues.shibboleth.net/jira/browse/CPPXT-143 Thanks to Scott Cantor (Closes: #924346) yorick-av (0.0.4-2~deb9u1) stable; urgency=low . * Rebuild for stretch. zziplib (0.13.62-3.2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. ====================================== Sat, 16 Feb 2019 - Debian 9.8 released ====================================== ========================================================================= [Date: Sat, 16 Feb 2019 09:45:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debian-parl | 1.9.10 | source parl-data | 1.9.10 | all parl-desktop | 1.9.10 | all parl-desktop-eu | 1.9.10 | all parl-desktop-strict | 1.9.10 | all parl-desktop-world | 1.9.10 | all Closed bugs: 921749 ------------------- Reason ------------------- RoQA; depends on broken / removed Firefox plugins ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:45:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: xul-ext-y-u-no-validate | 2013052407-3 | all y-u-no-validate | 2013052407-3 | source Closed bugs: 908405 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:46:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozvoikko | 2.2-0.1 | source xul-ext-mozvoikko | 2.2-0.1 | all Closed bugs: 912465 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:47:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: personasplus | 1.7.8-1 | source xul-ext-personasplus | 1.7.8-1 | all Closed bugs: 913436 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:48:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: corebird | 1.4.1-1+deb9u1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 915292 ------------------- Reason ------------------- RoM; broken by Twitter API changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:49:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: firefox-branding-iceweasel | 0.4.0 | source xul-ext-iceweasel-branding | 0.4.0 | all Closed bugs: 918160 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:49:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: imap-acl-extension | 0.2.7-1 | source xul-ext-imap-acl | 0.2.7-1 | all Closed bugs: 918254 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:50:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: toggle-proxy | 1.9-2 | source xul-ext-toggle-proxy | 1.9-2 | all Closed bugs: 918257 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:51:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-password-editor | 2.10.3-1 | source xul-ext-password-editor | 2.10.3-1 | all Closed bugs: 918258 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:52:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: firefox-kwallet5 | 1.0-2 | source xul-ext-kwallet5 | 1.0-2 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 918346 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:55:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: adblock-plus | 2.7.3+dfsg-1 | source xul-ext-adblock-plus | 2.7.3+dfsg-1 | all Closed bugs: 918347 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:56:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-dom-inspector | 1:2.0.16-2 | source xul-ext-dom-inspector | 1:2.0.16-2 | all Closed bugs: 918349 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:56:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: browser-plugin-spice | 2.8.90-5 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x spice-xpi | 2.8.90-5 | source Closed bugs: 918350 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:57:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: flickrbackup | 0.2-3.1 | source, all Closed bugs: 919797 ------------------- Reason ------------------- RoM; ancient; abandoned upstream; deprecated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:57:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-formalchemy | 1.4.2-1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 920560 ------------------- Reason ------------------- RoQA; unusable, fails to import in python ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: flashblock | 1.5.20-2 | source xul-ext-flashblock | 1.5.20-2 | all Closed bugs: 920717 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: refcontrol | 0.8.17-3 | source xul-ext-refcontrol | 0.8.17-3 | all Closed bugs: 920718 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cookie-monster | 1.3.0.5-1 | source xul-ext-cookie-monster | 1.3.0.5-1 | all Closed bugs: 920719 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:59:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: requestpolicy | 1.0.0~beta12.3+dfsg-1 | source xul-ext-requestpolicy | 1.0.0~beta12.3+dfsg-1 | all Closed bugs: 920722 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:59:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-noscript | 2.9.0.14-1 | source xul-ext-noscript | 2.9.0.14-1 | all Closed bugs: 920724 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debianbuttons | 1.11-3 | source xul-ext-debianbuttons | 1.11-3 | all Closed bugs: 921129 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: calendar-exchange-provider | 3.9.0-4 | source, all Closed bugs: 921932 ------------------- Reason ------------------- RoM; incompatible with newer Thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libwww-topica-perl | 0.6-5 | source, all Closed bugs: 922110 ------------------- Reason ------------------- RoQA; useless due to Topica site removal ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:14:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnvidia-egl-wayland1 | 384.130-1 | amd64, armhf, i386 nvidia-egl-wayland-common | 384.130-1 | amd64, armhf, i386 nvidia-egl-wayland-icd | 384.130-1 | amd64, armhf, i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by nvidia-graphics-drivers) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:25:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-certbot | 0.10.2-1 | all ------------------- Reason ------------------- [cruft] NBS (no longer built by python-certbot) ---------------------------------------------- ========================================================================= arc (5.21q-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix version 1 arc header reading * Fix arcdie crash when called with more then 1 variable argument * Fix directory traversal bugs (CVE-2015-9275) Thanks to Hans de Goede (Closes: #774527) astroml-addons (0.2.2-4~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . astroml-addons (0.2.2-4) unstable; urgency=medium . * Push Standards-Version to 4.0.0. No changes needed. . [ Scott Kitterman ] * Correct substitution variable for python3 binary so correct python3 interpreter depends are provided. Closes: #867243 base-files (9.9+deb9u8) stretch; urgency=medium . * Change /etc/debian_version to 9.8, for Debian 9.8 point release. c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium . * Team upload. * Fix CVE-2018-20433. A XML External Entity (XXE) vulnerability was discovered in c3p0 that may be used to resolve information outside of the intended sphere of control. (Closes: #917257) ca-certificates-java (20170929~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . ca-certificates-java (20170929) unstable; urgency=low . [ Gianfranco Costamagna ] * Team upload. * Ack previous NMU, thanks . [ Rico Tzschichholz ] * Fix temporary jvm-*.cfg generation on armhf (Closes: #874276) - the armhf installation path is different from other architectures. ceph (10.2.11-2) stretch-security; urgency=medium . [ James Page ] * [d34d35] Fix build on i386 (Closes: #913909) ceph (10.2.11-1) stretch-security; urgency=medium . * [1aebf9] New upstream version 10.2.11 Fixes the following security vulnerabilities: - CVE-2017-7519: libradosstripper printf format string injection vulnerability - CVE-2018-1128: The cephx authentication protocol was vulnerable to a replay attack. - CVE-2018-1129: Cephx signature calculation did not cover the whole message being sent. This allowed an attacker to alter parts of the message. - CVE-2018-1086: A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. * [20b8e7] Replace sleep-recover.patch by reconnect-after-mds-reset.patch * [33f8d2] Remove CVE-2016-9597 patch applied upstream * [a9c2ee] Remove disable-openssl-linking.patch fixed upstream The upstream solution requires a build dependency on libssl-dev to be able to look up the sonames. The resulting code is not linked against libssl but can dlopen it at runtime. * [edc23d] Remove osd-limit-omap-data-in-push-op.patch applied upstream * [9dd30c] Remove rgw_rados-creation_time.patch applied upstream * [fff91f] Refresh patches * [c2925f] Update symbols for librbd1 (added in 10.2.6) ceph (10.2.7-0exp1) experimental; urgency=medium . [ James Page ] * [585f53] New upstream version 10.2.6 . [ Gaudenz Steinlin ] * [41b6fd] New upstream version 10.2.7 * [916972] Remove patch "cve-2016-9579_short_cors_request" applied upstream * [541204] Remove patch "disable-openssl-linking" sovled upstream * [60cc3d] Remove patch "osd-limit-omap-data-in-push-op" applied upstream * [ee0f76] Remove patch "rgw_rados-creation_time" applied upstream * [f07cb0] Refresh patches for 10.2.7 * [be7663] Build depend on libssl-dev. This is only needed to satisfy the build system checks the resulting binary is not linked against openssl and only dlopens it at runtime. So there is no GPL violation. chkrootkit (0.50-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport fix for regular expression for filtering out dhcpd and dhclient as false positives from the packet sniffer test. . [ Lorenzo "Palinuro" Faletra ] * Update /etc/cron.daily/chkrootkit (Closes: #600109) chromium-browser (70.0.3538.110-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2018-17479: Use-after-free in GPU. chromium-browser (70.0.3538.102-1) unstable; urgency=medium . * New upstream security release. - CVE-2018-17478: Out of bounds memory access in V8. Reported by cloudfuzzer * Fix new lintian warnings. * Drop libjs-excanvas build dependency. * Add support for building with harfbuzz 2.1.1. * Document how to run chromium as root (closes: #838534). * Output debian specific instructions when no working sandbox is available. * Do not rely on transitive recommendation for the sandbox (closes: #913116). chromium-browser (70.0.3538.102-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2018-17478: Out of bounds memory access in V8. Reported by cloudfuzzer * Eliminate unintended dependency on gconf-service (closes: #913926). * Restore arm64 crashpad patch mistakenly dropped in the previous upload. chromium-browser (70.0.3538.67-3) unstable; urgency=medium . * Fix a compiler warning. * Move the setuid sandbox into a separate package (closes: #839277). chromium-browser (70.0.3538.67-2) unstable; urgency=medium . * Restore support for building with gtk2. chromium-browser (70.0.3538.67-1) unstable; urgency=medium . * New upstream stable release. - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian - CVE-2018-17466: Memory corruption in Angle. Reported by Omair - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton * Fix build failure on i386. * Fix installation path of the master preferences file (closes: #911056). chromium-browser (70.0.3538.67-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian - CVE-2018-17466: Memory corruption in Angle. Reported by Omair - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton chromium-browser (70.0.3538.54-2) unstable; urgency=medium . * Build with gcc 8 (closes: #901368). * Move the master preferences file to /etc/chromium (closes: #891232). chromium-browser (70.0.3538.54-1) unstable; urgency=medium . * New upstream beta release. chromium-browser (69.0.3497.100-1) unstable; urgency=medium . * New upstream stable release. * Update standards version to 4.2.1. * Clarify debugging section in README.debian (closes: #910842). * Remove ConvertUTF from the upstream tarball (closes: #900596). * Load all extensions installed to /usr/share/chromium/extensions. - Thanks to Michael Meskes (closes: #890392). * Remove audio_capture_enable setting from the default preferences (closes: #884887). chromium-browser (69.0.3497.92-1) unstable; urgency=medium . * New upstream security release. - Function signature mismatch in WebAssembly. Reported by Kevin Cheung - URL Spoofing in Omnibox. Reported by evi1m0 compactheader (2.1.6-1~deb9u1) stretch; urgency=medium . [ Carsten Schoenert ] * Rebuild for Stretch (Closes: #918167) * [93f8afe] debhelper: decrease to version available in stretch * [8fd6a50] d/compat: decrease accordingly to version 10 compactheader (2.1.5-1) unstable; urgency=medium . [ David Prévot ] * [faa4ffb] Drop Icedove from description * [58353f3] Update Standards-Version to 3.9.7 . [ Carsten Schoenert ] * [c9d19db] Adding debian/gbp.conf to make life easier * [5e31e42] New upstream version 2.1.5 (Closes: #891433) * [a7e96da] Add a patch queue * [15ea418] d/rules: don't install unneeded files and folder Don't install and ship files from the folder test and the files Readme.md build.xml which aren't needed for the use of the package. * [6d45fe5] d/rules: remove the get-orig-source target The old get-orig-source Makefile target isn't needed and can be dropped in favor of using uscan directly. * [449a5e1] bumping debhelper and compat to version 11 Let's use a recent debhelper version. * [27ff6a3] d/control: increase Standards-Version to 4.1.4 No further changes needed. * [8a365a5] d/control: move package over to pkg-mozext-team on salsa Alioth will be going offline and the successor platform is Salsa. * [891ab67] d/control: adding myself as uploader Thanks to William for working on compactheader in the past! (Closes: #892410) * [23957a9] d/control: adjust Maintainer field due changed email address Due changes for the Alioth host the Maintainer email is also changing to a new domain. compactheader (2.1.1~beta1-1) experimental; urgency=medium . * Team upload . [ jmozmoz ] * Add Portuguese translation courier (0.76.3-5+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport @piddir@ substitution from 1.0.5-1. . [ Markus Wanner ] * Extend patch 0018-Fix-default-configuration-for-Debian.patch with the piddir addition proposed by Willi Mann. Closes: #875696. cups (2.2.1-8+deb9u3) stretch; urgency=low . * Backport upstream fixes for: - CVE-2017-18248: DBUS notifications could crash the scheduler - CVE-2018-4700: Linux session cookies used a predictable random number seed (Closes: #915909) curl (7.52.1-5+deb9u9) stretch-security; urgency=high . * Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890 https://curl.haxx.se/docs/CVE-2018-16890.html * Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822 https://curl.haxx.se/docs/CVE-2019-3822.html * Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823 https://curl.haxx.se/docs/CVE-2019-3823.html debian-edu-config (1.929+deb9u3) stretch; urgency=medium . [ Wolfgang Schweer ] * debian-edu-config.chromium-ldapconf: Remove slapd start requirement. . debian-edu-config (1.929+deb9u2) stretch; urgency=medium . [ Wolfgang Schweer ] * Fix configuration of personal web pages. (Closes: #866228). - Set right order of linking in cf/cf.apache2. - Add conditional code to d/d-e-c.postinst to fix the wrong configuration generated via the cfengine run during main server installation (introduced in version 1.926). * Re-enable offline installation of a combi server including diskless workstation support. (Closes: #867271, #904331). - 015-edu-apt-source: fix apt-get options to be able to use a repo of type 'file://'. As 'media/cdrom/' in the LTSP chroot is treated as such a repo, add 'acquire::check-valid-until=0' to APT_GET_OPTS; otherwise installation fails because the Release file is expired. - 032-edu-pkgs: Move all diskless workstation installation parts to the finalization stage of LTSP chroot installation. * Enable Chromium homepage setting at installation time and via LDAP as further improvements for the fix for bug #891262 in version 1.929+deb9u1: - Add cf/cf.chromium (cfengine). - Add debian/debian-edu-config.chromium-ldapconf (init script). - Add share/debian-edu-config/tools/update-chromium-homepage (used by both cfengine and the init script). - Adjust Makefile and debian/rules. . [ Mike Gabriel ] * update-chromium-homepage: - Don't complain about non-existing config file when attempting its removal. - Don't statically set http://www as homepage, use detected homepage instead. (Closes: #911790) debian-edu-config (1.929+deb9u2) stretch; urgency=medium . [ Wolfgang Schweer ] * Fix configuration of personal web pages. (Closes: #866228). - Set right order of linking in cf/cf.apache2. - Add conditional code to d/d-e-c.postinst to fix the wrong configuration generated via the cfengine run during main server installation (introduced in version 1.926). * Re-enable offline installation of a combi server including diskless workstation support. (Closes: #867271, #904331). - 015-edu-apt-source: fix apt-get options to be able to use a repo of type 'file://'. As 'media/cdrom/' in the LTSP chroot is treated as such a repo, add 'acquire::check-valid-until=0' to APT_GET_OPTS; otherwise installation fails because the Release file is expired. - 032-edu-pkgs: Move all diskless workstation installation parts to the finalization stage of LTSP chroot installation. * Enable Chromium homepage setting at installation time and via LDAP as further improvements for the fix for bug #891262 in version 1.929+deb9u1: - Add cf/cf.chromium (cfengine). - Add debian/debian-edu-config.chromium-ldapconf (init script). - Add share/debian-edu-config/tools/update-chromium-homepage (used by both cfengine and the init script). - Adjust Makefile and debian/rules. . [ Mike Gabriel ] * update-chromium-homepage: - Don't complain about non-existing config file when attempting its removal. - Don't statically set http://www as homepage, use detected homepage instead. (Closes: #911790) debian-installer-netboot-images (20170615+deb9u5.b2) stretch; urgency=medium . * Update to 20170615+deb9u5+b2 images, from stretch-proposed-update debian-security-support (2019.02.01~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch, without d/control changes. debian-security-support (2019.01.19) unstable; urgency=medium . * Team upload. . [ Holger Levsen ] * d/control: - bump standards version to 4.3.0. - bump debhelper compat to 11, use the new debhelper-compat(=11) notation and drop d/compat. - add "Rules-Requires-Root: no" to support building as non-root. debian-security-support (2018.11.25) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark jasperreports as end-of-life in Jessie. . [ Salvatore Bonaccorso ] * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) . [ Holger Levsen ] * Bump standards version to 4.2.1. . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/changelog: Remove trailing whitespaces. debian-security-support (2018.11.25~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch. . debian-security-support (2018.11.25) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark jasperreports as end-of-life in Jessie. . [ Salvatore Bonaccorso ] * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) . [ Holger Levsen ] * Bump standards version to 4.2.1. . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/changelog: Remove trailing whitespaces. . debian-security-support (2018.06.08) unstable; urgency=medium . * Add .gitlab-ci.yml configuration * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) . debian-security-support (2018.05.20) unstable; urgency=medium . * Mark vlc in jessie as end-of-life as per DSA 4203-1 . debian-security-support (2018.05.17) unstable; urgency=medium . [ Antoine Beaupré ] * mark frontaccounting as unsupported . [ Markus Koschany ] * Add xulrunner to security-support-ended.deb7 . [ Salvatore Bonaccorso ] * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) * Update Vcs-* headers for switch to salsa.debian.org * Update German translations. Thanks to Chris Leick (Closes: #878321) . debian-security-support (2018.01.29) unstable; urgency=medium . [ Markus Koschany ] * Add teamspeak to security-support-ended.deb7 * Add libstruts1.2-java to security-support-ended.deb7. * Add nvidia-graphics-drivers to security-support-ended.deb7. Non-free is not supported * Add glassfish to security-support-ended.deb7 * Mark jbossas4 as end-of-life in Wheezy. * Mark jasperreports as unsupported in Wheezy. No sponsor users it. Targeted fixes not possible because detailed information about the vulnerabilities and their solution (patches) is not available. . [ Salvatore Bonaccorso ] * Mark chromium-browser as end-of-life for Debian 8 (Jessie) . [ Raphaël Hertzog ] * Mark libnet-ping-external-perl as unsupported in wheezy. * Mark mp3gain as unsupported in wheezy. . [ Emilio Pozuelo Monfort ] * Mark tor as unsupported in wheezy. . [ Guido Günther ] * Add swftools to security support limited swftools is orphaned (#885088) and the security tracker is currently counting 25 open CVEs. It is a useful tool with trusted content though. * Bump standards version to 4.1.3. No changes needed * Bump debhelper compat level to 9 which is available in oldoldstable (wheezy). debian-security-support (2018.06.08) unstable; urgency=medium . * Add .gitlab-ci.yml configuration * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) debian-security-support (2018.05.20) unstable; urgency=medium . * Mark vlc in jessie as end-of-life as per DSA 4203-1 debian-security-support (2018.05.17) unstable; urgency=medium . [ Antoine Beaupré ] * mark frontaccounting as unsupported . [ Markus Koschany ] * Add xulrunner to security-support-ended.deb7 . [ Salvatore Bonaccorso ] * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) * Update Vcs-* headers for switch to salsa.debian.org * Update German translations. Thanks to Chris Leick (Closes: #878321) debian-security-support (2018.01.29) unstable; urgency=medium . [ Markus Koschany ] * Add teamspeak to security-support-ended.deb7 * Add libstruts1.2-java to security-support-ended.deb7. * Add nvidia-graphics-drivers to security-support-ended.deb7. Non-free is not supported * Add glassfish to security-support-ended.deb7 * Mark jbossas4 as end-of-life in Wheezy. * Mark jasperreports as unsupported in Wheezy. No sponsor users it. Targeted fixes not possible because detailed information about the vulnerabilities and their solution (patches) is not available. . [ Salvatore Bonaccorso ] * Mark chromium-browser as end-of-life for Debian 8 (Jessie) . [ Raphaël Hertzog ] * Mark libnet-ping-external-perl as unsupported in wheezy. * Mark mp3gain as unsupported in wheezy. . [ Emilio Pozuelo Monfort ] * Mark tor as unsupported in wheezy. . [ Guido Günther ] * Add swftools to security support limited swftools is orphaned (#885088) and the security tracker is currently counting 25 open CVEs. It is a useful tool with trusted content though. * Bump standards version to 4.1.3. No changes needed * Bump debhelper compat level to 9 which is available in oldoldstable (wheezy). dnspython (1.15.0-1+deb9u1) stretch; urgency=medium . * Add debian/patches/0002-fix-error-when-parsing-nsec3-bitmap-from- text.patch from upstream (Closes: #915866) drupal7 (7.52-2+deb9u6) stretch-security; urgency=high . [ William Blough ] * Add upstream fix for DATE_RFC7231 conflict with php7 (Closes: #911791) . [ Gunnar Wolf ] * SA-CORE-2019-001: Vulnerability in a third-party library (related to CVE-2018-1000888) * SA-CORE-2019-002: Arbitrary PHP code execution egg (4.2.0-1.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Skip emacsen-install for unsupported xemacs21. (Closes: #900812) erlang (1:19.2.1+dfsg-2+deb9u2) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport removal of xemacs21 support from 1:21.2+dfsg-2. . [ Sergei Golovan ] * Do not install Erlang mode for XEmacs since it isn't supposed to work with it (closes: #909387). espeakup (1:0.80-5+deb9u3) stretch; urgency=high . * debian/espeakup.service: Fix compatibility with older versions of systemd (Closes: Bug#913453). Also fix starting with empty voice language. firefox-esr (60.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-02, also known as: CVE-2018-18500, CVE-2018-18505, CVE-2018-18501. firefox-esr (60.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-30, also known as: CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18498, CVE-2018-12405. firefox-esr (60.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-30, also known as: CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18498, CVE-2018-12405. . * debian/rules: Use embedded libevent in backports. Closes: #910397. * debian/browser.install.in, debian/rules: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Pass compiler and compiler flags environment variables down to ICU configure. That will make it use GCC instead of defaulting to clang now it's in PATH, avoiding the failing to build the ICU data file on big endian platforms because clang doesn't know some of the GCC flags it somehow got from the environment. . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. firefox-esr (60.3.0esr-3) unstable; urgency=medium . * debian/browser.install.in, debian/rules: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Pass compiler and compiler flags environment variables down to ICU configure. That will make it use GCC instead of defaulting to clang now it's in PATH, avoiding the failing to build the ICU data file on big endian platforms because clang doesn't know some of the GCC flags it somehow got from the environment. firefox-esr (60.3.0esr-2) unstable; urgency=medium . * debian/control*: Build depend on unversioned clang/llvm. Closes: #912804. * debian/rules: Use embedded libevent in backports. Closes: #910397. . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. firefox-esr (60.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-27, also known as: CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, CVE-2018-12397, CVE-2018-12389, CVE-2018-12390. . * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols between libgcc and rust's compiler_builtins. freerdp (1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3) stretch; urgency=medium . * debian/patches: Add security patches. - CVE-2018-8786.patch: The count variable in update_read_bitmap() needs to be UINT32 (not UINT16). - CVE-2018-8787.patch: In gdi_Bitmap_Decompress, check for invalid bpp, width and height before decompressing. CVE-2018-8788.patch: In NSC encode/decode functions, catch data flawed in various ways and bail out with failure. CVE-2018-8789.patch: In ntlm_read_message_fields_buffer, check buffer offset vs. Stream_Length and bail out if not appropriate. - Thanks to Alex Murray for backporting them to FreeRDP 1.1. * debian/patches: + Add 0010_add-support-for-credssp-v3-and-rdpproto-v6.patch. Add CredSSP v3 and RDP proto v6 support. This allows users to connect to recently (since March 2018) updated Microsoft RDP servers again. Thanks to Bernhard Miklautz and Martin Fleisz for helping out with backporting this patch. Much appreciated! * debian/control: + Update Vcs-*: URLs. * debian/lib{freerdp-core1.1,winpr-sspi0.1}.symbols: Update symbols. ganeti-os-noop (0.2-1+deb9u1) stretch; urgency=medium . * debian/control: + Update Vcs-*: fields. VCS repo has been migrated to salsa.debian.org. + Priority extra -> optional. + Update Maintainer: field to 'Debian Ganeti Team ' * debian/patches: + Add 1001_fix-export-script-for-non-block-devices.patch. Fix size detection for non-block devices. Thanks to Bastian Blank for providing the patch. (Closes: #895602). ghostscript (9.26a~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.26a~dfsg + Includes fix for CVE-2019-6116 * Temporarily split ABI at ~ (not a). * Update symbols: 1 private added ghostscript (9.26~dfsg-2) unstable; urgency=high . * Add patches cherry-picked upstream to fix segfault with certain PDFs with -dLastPage=1. Closes: Bug#915832. Thanks to Salvatore Bonaccorso. * Set urgency=high as this is fixes regression in 9.26~dfsg-1. ghostscript (9.26~dfsg-1) unstable; urgency=high . [ upstream ] * New security and bugfix release. . [ Jonas Smedegaard ] * Drop patches cherry-picked upstream now applied. * Unfuzz patch 2009. * Set urgency=high due to high potential for security fixes (beyond those already included as cherry-picked patches). * Update symbols: 12 private added. ghostscript (9.26~dfsg-0+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches cherry-picked upstream to fix segfault with certain PDFs with -dLastPage=1. (Closes: #915832) ghostscript (9.26~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.26~dfsg + Includes fixes for the following security vulnerabilities: CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 * Drop patches cherry-picked upstream now applied * Unfuzz patch 2009. * Update symbols: 12 private added. ghostscript (9.25~dfsg-7) unstable; urgency=medium . * drop obsolete preinst migrations. * Quote variables in package helper update-gsfontmap. * Fix typos in previous changelog entries. * Disable parallel building. Closes: Bug#912847. Thanks to Matthias Klose. ghostscript (9.25~dfsg-6) unstable; urgency=medium . * Add patch cherry-picket upstream to fix cups get/put_params LeadingEdge logic. Closes: Bug#912664. Thanks to Salvatore Bonaccorso. ghostscript (9.25~dfsg-5) unstable; urgency=medium . * Add patch cherry-picket upstream to fix openjpeg segfault if size too large. ghostscript (9.25~dfsg-4) unstable; urgency=high . * Re-release with urgency=high, due to CVE fixes. ghostscript (9.25~dfsg-3) unstable; urgency=medium . * Add patches cherry-picked upstream to fix execution issues. + Implement .currentoutputdevice operator + Change "executeonly" to throw typecheck on gstatetype and devicetype objects + Undefine some additional internal operators. + Fix handling of .needinput if used from interpreter + Ensure all errors are included from initialization + setundercolorremoval memory corruption + copydevice fails after stack device copies invalidated + add operand checking to .setnativefontmapbuilt + add object type check for AES key + Add parameter type checking on .bigstring + zparse_dsc_comments can crash with invalid dsc_state + Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Catch errors and cleanup stack on statusdict page size definitions + Add parameter checking in setresolution + device subclass open_device call must return child code + fix DSC comment parsing in pdfwrite + Check all uses of dict_find* to ensure 0 return properly handled + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Avoid overrunning non terminated string buffer. + Prevent SEGV in gs_setdevice_no_erase. + Fix uninitialised value for render_cond. + Hide the .needinput operator + filenameforall calls bad iodev with insufficent scratch + Improve hiding of security critical custom operators + Prevent SEGV after calling gs_image_class_1_simple. + don't push userdict in preparation for Type 1 fonts + add control over hiding error handlers. + For hidden operators, pass a name object to error handler. + Explicitly exclude /unknownerror from the SAFERERRORLIST + don't include operator arrays in execstack output + Make .forceput unavailable from '.policyprocs' helper dictionary + .loadfontloop must be an operator + font parsing - prevent SEGV in .cffparse Closes: Bug#910678, #910758, #911175 (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284). Thanks to Salvatore Bonaccorso. * Unfuzz patches. * Declare compliance with Debian Policy 4.2.1. * Update symbols: 1 private added. ghostscript (9.25~dfsg-2) unstable; urgency=high . * Add/correct bug-closures for previous releases 9.25~dfsg-1, 9.25~dfsg-1~exp1, 9.24~~rc2~dfsg-1, 9.21~dfsg-1. * Set urgency=high due to recent CVE fixes. ghostscript (9.25~dfsg-1) unstable; urgency=medium . * Stop needlessly install symlinks handled upstream since ~9.05. * Tidy control file: + Wrap-and-sort. + Drop support for auto-resolving package relations or major version. * Update package relations: + Stop needlessly depend on debconf. + Stop build-depend on dh-buildinfo: Effectively unused. + Stop build-depend on libtrio: Unused upstream since 9.18. * Update copyright info: + Wrap-and-sort. + Extend coverage of Debian packaging. Drop unneeded copyrigh signs. + Fix files section licensed as AGPL-3+ (no longer GPL-3+). + Use semantic linefeeds. * Update symbols tracking: + Drop 19 private symbols. + Add 59 private symbols. * Add more bug-closures to previous release 9.25~dfsg-1~exp1. ghostscript (9.25~dfsg-1~exp1) experimental; urgency=medium . [ upstream ] * New bugfix release(s). Closes: Bug#907703, #908300, #908303, #908304, #908305 (CVE-2018-16509, CVE-2018-16543, CVE-2018-16510, CVE-2018-16585). Thanks to Salvatore Bonaccorso. . * Update copyright info: + Stop exclude image containing non-DFSG ICC profile when repackaging upstream source: Fixed upstream. + Fix cover license FTL. * Set Rules-Requires-Root: no. * Update symbols: + Drop commented out obsolete symbols. + Flag as optional symbols not declared in public header files. * Avoid privacy breach linking documentation to jquery: + Add patch 2009 to use local jquery. + Add symlink from relative link to system-shared jquery library. + Have ghostscript-doc depend on libjs-jquery. * Avoid privacy breach linking documentation to font: + Avoid linking to remote fonts in documentation. * Avoid privacy breach linking documentation with Google: + Strip googletagmanager code from documentation. ghostscript (9.25~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.25~dfsg + Fixes regression using ps2ascii after fix for CVE-2018-17183 (Closes: #909076) + status operator honour SAFER option (CVE-2018-11645) * Drop patches applied upstream * Rebase 2001_docdir_fix_for_debian.patch for 9.25 * Rebase 2010_add_build_timestamp_setting.patch for 9.25 * Add patches cherry-picked upstream to fix execution issues. + Implement .currentoutputdevice operator + Change "executeonly" to throw typecheck on gstatetype and devicetype objects + Undefine some additional internal operators. + Fix handling of .needinput if used from interpreter + Ensure all errors are included from initialization + setundercolorremoval memory corruption + copydevice fails after stack device copies invalidated + add operand checking to .setnativefontmapbuilt + add object type check for AES key + Add parameter type checking on .bigstring + zparse_dsc_comments can crash with invalid dsc_state + Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Catch errors and cleanup stack on statusdict page size definitions + Add parameter checking in setresolution + device subclass open_device call must return child code + fix DSC comment parsing in pdfwrite + Check all uses of dict_find* to ensure 0 return properly handled + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Avoid overrunning non terminated string buffer. + Prevent SEGV in gs_setdevice_no_erase. + Fix uninitialised value for render_cond. + Hide the .needinput operator + filenameforall calls bad iodev with insufficent scratch + Improve hiding of security critical custom operators (CVE-2018-17961) (Closes: #911175) + Prevent SEGV after calling gs_image_class_1_simple. + don't push userdict in preparation for Type 1 fonts + add control over hiding error handlers. (Closes: #909929) + For hidden operators, pass a name object to error handler. (CVE-2018-17961) (Closes: #911175) + Explicitly exclude /unknownerror from the SAFERERRORLIST + don't include operator arrays in execstack output (CVE-2018-18073) (Closes: #910758) + Make .forceput unavailable from '.policyprocs' helper dictionary (CVE-2018-18284) (Closes: #911175) + .loadfontloop must be an operator (CVE-2018-17961) (Closes: #911175) + font parsing - prevent SEGV in .cffparse * openjpeg allocator must return NULL if size too large * debian/copyright: Refresh with version from 9.25~dfsg-5 * debian/libgs9.symbols: Update (and sync from 9.25~dfsg-5) for new version. Adjust version for errorexec_find@Base. * Fix cups get/put_params LeadingEdge logic (cf. #912664) * Avoid privacy breach linking documentation to jquery: + Add patch 2009 to use local jquery. + Add symlink from relative link to system-shared jquery library. + Have ghostscript-doc depend on libjs-jquery. * Avoid privacy breach linking documentation to font: + Avoid linking to remote fonts in documentation. * Avoid privacy breach linking documentation with Google: + Strip googletagmanager code from documentation. ghostscript (9.24~~rc2~dfsg-1) experimental; urgency=medium . [ upstream ] * New prerelease. . * Update copyright info: + Exclude convenience code copy of lcms2mt (not lcms2) and image containing non-DFSG ICC profile when repackaging upstream source. * Update copyright-check maintainer script: Extract metadata from png files. * Update copyright info: + Extend coverage for main upstream author. + Extend coverage for Adobe. * Drop patches cherry-picked upstream since applied. * Unfuzz patches. ghostscript (9.22~dfsg-3) unstable; urgency=high . * Add patches cherry-picked upstream to fix execution issues: + Properly apply file permissions to .tempfile. + Don't just assume an object is a t_(a)struct. + Fix handling of pre-SAFER opened files. + Properly check return value when getting value from a dictionary. + Handle LockDistillerParams not being a boolean. + Fix shading_param incomplete type checking. + Ensure the correct is in place before cleanup. + Check the restore operand type. + Fix memory corruption in aesdecode. + Fix handle stack overflow during error handling. + Avoid sharing pointers between pdf14 compositors. + Improve restore robustness. + Hide the .shfill operator. Closes: Bug#907332. Thanks to Nicolas Braud-Santoni. * Use package section optional (not extra). * Extend lintian overrides regarding License-Reference. * Declare compliance with Debian Policy 4.2.0. ghostscript (9.22~dfsg-2.1) unstable; urgency=medium . * Non-maintainer upload. * Buffer overflow in fill_threshold_buffer (CVE-2016-10317) (Closes: #860869) * pdfwrite - Guard against trying to output an infinite number (CVE-2018-10194) (Closes: #896069) ghostscript (9.22~dfsg-2) unstable; urgency=medium . * Update Vcs-* fields for the move to salsa.d.o ghostscript (9.22~dfsg-1) unstable; urgency=medium . [ upstream ] * New release. Highlights: + Ghostscript can now consume and produce (via the pdfwrite device) PDF 2.0 compliant files. + The main focus of this release has been security and code cleanliness. Hence many AddressSanitizer, Valgrind and Coverity issues have been addressed. + The usual round of bug fixes, compatibility changes, and incremental improvements. . [ Jonas Smedegaard ] * Update copyright info: + Update paths of files to strip from upstream source. + Stop strip ConvertUTF files when repackaging upstream source: No longer included upstream. * Update watch file: Use substitution strings. * Update package relations: + Relax to build-depend unversioned on liblcms2-dev d-shlibs cdbs: Needed versions satisfied even in oldstable * Tighten lintian overrides regarding License-Reference. * Use https protocol for upstream Homepage. * Declare compliance with Debian Policy 4.1.1. * Drop patches applied upstream. * Unfuzz patches. * Update symbols file. ghostscript (9.22~~rc1~dfsg-1) experimental; urgency=medium . [ upstream ] * New release. Highlights: + Ghostscript can now consume and produce (via the pdfwrite device) PDF 2.0 compliant files. + The main focus of this release has been security and code cleanliness. Hence many AddressSanitizer, Valgrind and Coverity issues have been addressed. + The usual round of bug fixes, compatibility changes, and incremental improvements. . * Update copyright info: + Update paths of files to strip from upstream source. + Stop strip ConvertUTF files when repackaging upstream source: No longer included upstream. * Update watch file: Use substitution strings. * Update package relations: + Relax to build-depend unversioned on liblcms2-dev d-shlibs cdbs: Needed versions satisfied even in oldstable * Tighten lintian overrides regarding License-Reference. * Use https protocol for upstream Homepage. * Declare compliance with Debian Policy 4.1.0. * Drop patches applied upstream. * Unfuzz patches. ghostscript (9.21~dfsg-1) unstable; urgency=medium . [ upstream ] * New release. Highlights: + pdfwrite preserves annotations from input PDFs where possible. + GhostXPS pass required data to pdfwrite to emit a ToUnicode CMap, resulting in fully searchable PDFs created from XPS in most cases. + Allow default color space for PDF transparency blends. + Improved support for cross-compiling in configure script. + tiffscaled and tiffscaled4 supports ETS (Even Tone Screening). + toolbin/pdf_info.ps utility emits PDF XML metadata. + New scan converter, more performant with large and complex paths. . [ Jonas Smedegaard ] * Modernize cdbs: + Do copyright-check in maintainer script (not during build). * Avoid compressing pdf documentation. * Revive git-ignore file, lost importing NMUs. * Update watch file: Fix track releases (not tags). * Update copyright info: + Fix update main Files section to include all directory wildcards declared in root LICENSE file. + Stop track files no longer shipped upstream. + Add copyright holder Raph Levien. + Extend coverage for main upstream author. + Use https protocol in format string. * Update patches: + Drop patches applied upstream. + Normalize patch names. + Tidy DEP3 patch headers. + Add patch cherry-picked upstream to fix the shared openjpeg build. + Add patch cherry-picked upstream to fix shared lib build with openjpeg >= 2.1.1, replacing patch 1001. * Update package relations: + Relax build-dependency on cdbs. + Stop build-depend on licensecheck libregexp-assemble-perl libimage-exiftool-perl libfont-ttf-perl. * Relax symbols check when targeting experimental. * Update symbols: 16 dropped. 37 added. * Declare compliance with Debian Policy 4.0.0. ghostscript (9.21~dfsg-1~exp1) experimental; urgency=medium . [ upstream ] * New release. Highlights: + pdfwrite preserves annotations from input PDFs where possible. + GhostXPS pass required data to pdfwrite to emit a ToUnicode CMap, resulting in fully searchable PDFs created from XPS in most cases. + Allow default color space for PDF transparency blends. + Improved support for cross-compiling in configure script. + tiffscaled and tiffscaled4 supports ETS (Even Tone Screening). + toolbin/pdf_info.ps utility emits PDF XML metadata. + New scan converter, more performant with large and complex paths. . [ Jonas Smedegaard ] * Modernize cdbs: + Do copyright-check in maintainer script (not during build). * Avoid compressing pdf documentation. * Revive git-ignore file, lost importing NMUs. * Update watch file: Fix track releases (not tags). * Update copyright info: + Stop track files no longer shipped upstream. + Add copyright holder Raph Levien. + Extend coverage for main upstream author. * Update patches: + Drop patches applied upstream. + Normalize patch names. + Tidy DEP3 patch headers. + Add patch cherry-picked upstream to fix the shared openjpeg build. + Add patch cherry-picked upstream to fix shared lib build with openjpeg >= 2.1.1, replacing patch 1001. * Update package relations: + Relax build-dependency on cdbs. + Stop build-depend on licensecheck libregexp-assemble-perl libimage-exiftool-perl libfont-ttf-perl. * Relax symbols check when targeting experimental. glibc (2.24-11+deb9u4) stretch; urgency=medium . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. - Fix a buffer overflow in glob with GLOB_TILDE in unescaping (CVE-2017-15804). Closes: #879955. - Fix a memory leak in ld.so (CVE-2017-1000408). Closes: #884132. - Fix a buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133. - Fixes incorrect RPATH/RUNPATH handling for SUID binaries (CVE-2017-16997). Closes: #884615. - Fix a data corruption in SSE2-optimized memmove implementation for i386 (CVE-2017-18269). - Fix a stack-based buffer overflow in the realpath function (CVE-2018-11236). Closes: #899071. - Fix a buffer overflow in the AVX-512-optimized implementation of the mempcpy function (CVE-2018-11237). Closes: #899070. - Fix stack guard size accounting and reduce stack usage during unwinding to avoid segmentation faults on CPUs with AVX512-F. Closes: #903554. - Fix a use after free in pthread_create(). Closes: #916925. * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: check for postgresql in NSS check. Closes: #710275. . [ Sebastian Andrzej Siewior ] * patches/any/local-condvar-do-not-use-requeue-for-pshared-condvars.patch: patch to fix pthread_cond_wait() in the pshared case on non-x86. Closes: #904158. glx-alternatives (0.8.8~deb9u2) stretch; urgency=medium . * Revert dpkg-trigger changes from 0.8.8 as it may cause an exception thrown in apt. (Closes: #922210) glx-alternatives (0.8.8~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . glx-alternatives (0.8.8) unstable; urgency=medium . * glx-diversions: Put all packages that had shared libraries diverted into triggers-awaited state to ensure the triggers in glx-alternative-mesa setting up the glx alternative get processed earlier. (Closes: #905908) * Bump Standards-Version to 4.2.1. No changes needed. . glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. . glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) . glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. . glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.8~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . glx-alternatives (0.8.8) unstable; urgency=medium . * glx-diversions: Put all packages that had shared libraries diverted into triggers-awaited state to ensure the triggers in glx-alternative-mesa setting up the glx alternative get processed earlier. (Closes: #905908) * Bump Standards-Version to 4.2.1. No changes needed. glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. glx-alternatives (0.8.7~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. . glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) . glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. . glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.3) unstable; urgency=medium . * Divert libGL.so.1.7.0, libGLESv1_CM.so.1.2.0, libGLESv2.so.2.1.0, libEGL.so.1.1.0 that will be used by the next libglvnd upstream release. * Update validation of the diverted libGL.so.1 symlink. (Closes: #879041) gnulib (20140202+stable-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757) gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium . * Avoid crash when importing without a TTY (Closes: #913614) graphite-api (1.1.3-2+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport spelling fix from 1.1.3-3. (Closes: #826020) . [ Vincent Bernat ] * d/service: fix RequiresMountsFor spelling. grokmirror (1.0.0-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . grokmirror (1.0.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Add the missing dependency on python-pkg-resources. (Closes: #888847) gvrng (4.4-3~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . gvrng (4.4-3) unstable; urgency=high . * QA upload. * Fix the permissions problem that prevented starting gvrng. (Closes: #850516) * Tell dh_python2 where to find the files to generate dependencies. ibus (1.5.14-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Remove the dependency of the gir package against python, it breaks multiarch installation. (Closes: #889053) icecast2 (2.4.2-1+deb9u1) stretch-security; urgency=high . * d/p/CVE-2018-18820.patch: - Cherry-pick upstream commits fixing buffer overflow in URL authentication - Closes: #912611, CVE-2018-18820 icinga2 (2.6.0-2+deb9u1) stretch; urgency=medium . * [0eb3cad] Fix timestamps being stored as local time in PostgreSQL. intel-microcode (3.20180807a.2~deb9u1) stretch; urgency=medium . * Release managers: This update is being distributed by Debian in unstable, testing and jessie- and stretch-backports since 2018-10-30 without issues, and by most distros since 2018-08/2018-09, with no known reports of regressions on Westmere EP processors (Spectre mitigations are very expensive on Nehalem and Westmere, though). * SECURITY FIX: this update adds the accumulated fixes for Westmere EP (signature 0x206c2) from nearly a decade, including but likely not limited to: + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 + Very likely implements LAPIC sinkhole fix + Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging may cause system crash * This Westmere EP microcode update has been explicitly approved by Intel for general distribution by operating systems, refer to the changelog entry for 3.20180807a.2 below . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.2~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.1) unstable; urgency=high . [ Henrique de Moraes Holschuh ] * New upstream microcode datafile 20180807a (closes: #906158, #906160, #903135, #903141) + New Microcodes: sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264 sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216 sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360 sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336 sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240 + Updated Microcodes: sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288 sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216 sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216 sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096 sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288 sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336 sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432 sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528 sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600 sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312 sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328 sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744 sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528 sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528 sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384 sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328 sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304 + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation for older processors with signatures 0x106a5, 0x106e5, 0x20652, 0x20655. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 * source: update symlinks to reflect id of the latest release, 20180807a * debian/intel-microcode.docs: ship license and releasenote upstream files. * debian/changelog: update entry for 3.20180703.1 with L1TF information . [ Julian Andres Klode ] * initramfs: include all microcode for MODULES=most. Default to early instead of auto, and install all of the microcode, not just the one matching the current CPU, if MODULES=most is set in the initramfs-tools config (LP: #1778738) isort (4.2.5+ds1-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add missing dependency on python3-pkg-resources. Thanks to Andreas Beckmann for reporting the issue. (Closes: #902327) * Fix dependencies of the python2 package by using the correct ${python:Depends} substvar instead of ${python3:Depends}. Thanks to Paul Wise for catching it. (Closes: #884682) jdupes (1.7-2+deb9u1) stretch; urgency=medium . * debian/patches/20_fix-crash-arm.patch: add to fix a potential crash in ARM. Thanks to Jody Bruchon . (Closes: #914078) kmodpy (0.1.10-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . kmodpy (0.1.10-2.1) unstable; urgency=high . * Non-maintainer upload. * Remove the incorrect Multi-Arch: same. (Closes: #897223) libapache-mod-jk (1:1.2.46-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 1.2.46 + CVE-2018-11759: fix information disclosure and privilege escalation libapache-mod-jk (1:1.2.44-3) unstable; urgency=medium . * Remove conf/httpd-jk.conf from debian/clean to fix a FTBFS when building binary-arch target. libapache-mod-jk (1:1.2.44-2) unstable; urgency=medium . * Fix broken httpd-jk symlink. Thanks to Andreas Beckmann for the report. (Closes: #910160) libapache-mod-jk (1:1.2.44-1) unstable; urgency=medium . * New upstream version 1.2.44. * Declare compliance with Debian Policy 4.2.1. * Remove Damien Raude-Morvan from Uploaders. Add myself to Uploaders. (Closes: #889461) * Suggest alternative tomcat9 package. * Drop obsolete libapache2-mod-jk.NEWS. * Install new httpd-jk.conf file which follows Apache 2.4 syntax. (Closes: #786635) libapache-mod-jk (1:1.2.43-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 libapache2-mod-perl2 (2.0.10-2+deb9u1) stretch; urgency=medium . * [SECURITY] CVE-2011-2767: don't allow sections in user controlled configuration (Closes: #644169) libarchive (3.2.2-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload. * Fix the following security vulnerabilities: CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503, CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879 and CVE-2018-1000880. Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences, use-after-frees and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files. (Closes: #859456, #861609, #874539, #875966, #875974, #875960, #916964, #916963, #916960) libb2 (0.97-2+deb9u1) stretch; urgency=medium . * debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch: detect if the system can use AVX before actually using it (Closes: #884958) libdatetime-timezone-perl (1:2.09-1+2018i) stretch; urgency=medium . * Update to Olson database version 2018i. This update contains contemporary changes for São Tomé and Príncipe. libdatetime-timezone-perl (1:2.09-1+2018h) stretch; urgency=medium . * Update to Olson database version 2018h. This update contains contemporary changes for Kazakhstan, Alaska, Morocco, and Iran. libemail-address-list-perl (0.05-1+deb9u1) stretch; urgency=medium . * [SECURITY] Fix DoS vulnerability CVE-2018-18898 libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium . * Team upload. * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558 libextractor (1:1.3-4+deb9u3) stretch-security; urgency=high . * Fix out-of-bounds read vulnerability in common/convert.c (Closes: #917214, CVE-2018-20430). * Fix NULL pointer dereference in OLE2 extractor (Closes: #917213, CVE-2018-20431). libgd2 (2.2.4-2+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977) (Closes: #920645) * Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728) libgpod (0.8.3-8.2+deb9u1) stretch; urgency=high . * QA upload. * debian/control: Replace defunct Vcs-* fields with correct ones. * python-gpod: Add missing dependency on python-gobject-2. (Closes: #896230) liblivemedia (2016.11.28-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-4013: stack-based buffer overflow in the HTTP packet-parsing functionality, potentially resulting in code execution. libphp-phpmailer (5.2.14+dfsg-2.3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * object injection vulnerability (CVE-2018-19296) (Closes: #913912) libreoffice (1:5.2.7-1+deb9u5) stretch-security; urgency=high . * debian/patches/disableClassPathURLCheck.diff: add workaround to fix build with openjdks with S8195874 included - add -Djdk.net.URLClassPath.disableClassPathURLCheck=true to JAVAIFLAGS; see https://gerrit.libreoffice.org/#/c/63118/2 . * debian/patches/keep-pyuno-script-processing-below-base-uri.diff: as name says (CVE-2018-16858) * debian/patches/show-partial-signatures-even-if-cert-validation-fails.diff: as name says (CERT-Bund#2018100828000257), but backport the non-UI parts only - the "signing already existing PDFs" feature doesn't exist here yet libssh (0.7.3-2+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Fix broken server-side keyboard-interactive authentication. Thanks to Martin Pitt (Closes: #913870) libvncserver (0.9.11+dfsg-1.3~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security. libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high . * Non-maintainer upload. * Fix multiple security vulnerabilities (Closes: #916941) - Use-after-free in file transfer extension allows for potential code execution (CVE-2018-15126) - Heap out-of-bounds write in rfbserver.c:rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - Multiple heap out-of-bound writes in VNC client code (CVE-2018-20019) - Heap out-of-bound write inside structure in VNC client code allows for potential code execution (CVE-2018-20020) - Infinite loop in VNC client code allows for denial of service (CVE-2018-20021) - Improper initialization in VNC client code allows for information disclosure (CVE-2018-20022) - Improper initialization in VNC Repeater client code allows for information disclosure (CVE-2018-20023) - NULL pointer dereference in VNC client code allows for denial of service (CVE-2018-20024) - Use-after-free in file transfer extension server code allows for potential code execution (CVE-2018-6307) * Update symbols file for libvncserver1. The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) linux (4.9.144-3) stretch; urgency=medium . * libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature() (regression in 4.9.144) linux (4.9.144-2) stretch; urgency=medium . * [mips*] inst: Avoid ABI change in 4.9.136 (fixes FTBFS) * efi/libstub: Unify command line param parsing (fixes FTBFS on arm64) linux (4.9.144-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.136 - xfrm: Validate address prefix lengths in the xfrm selector. - xfrm6: call kfree_skb when skb is toobig - mac80211: Always report TX status - cfg80211: reg: Init wiphy_idx in regulatory_hint_core() - mac80211: fix pending queue hang due to TX_DROP - cfg80211: Address some corner cases in scan result channel updating - mac80211: TDLS: fix skb queue/priority assignment - [armel,armhf] 8799/1: mm: fix pci_ioremap_io() offset check - xfrm: validate template mode - nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT - mac80211_hwsim: do not omit multicast announce of first added radio - Bluetooth: SMP: fix crash in unpairing - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor - qed: Avoid constant logical operation warning in qed_vf_pf_acquire - asix: Check for supported Wake-on-LAN modes - ax88179_178a: Check for supported Wake-on-LAN modes - lan78xx: Check for supported Wake-on-LAN modes - sr9800: Check for supported Wake-on-LAN modes - r8152: Check for supported Wake-on-LAN Modes - smsc75xx: Check for Wake-on-LAN modes - smsc95xx: Check for Wake-on-LAN modes - perf/ring_buffer: Prevent concurent ring buffer access - [x86] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX - [armhf] net: fec: fix rare tx timeout - net: cxgb3_main: fix a missing-check bug - perf symbols: Fix memory corruption because of zero length symbols - mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() - [mips*] microMIPS: Fix decoding of swsp16 instruction - [mips*] Handle non word sized instructions when examining frame - scsi: aacraid: Fix typo in blink status - f2fs: fix multiple f2fs_add_link() having same name for inline dentry - igb: Remove superfluous reset to PHY and page 0 selection - ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs - PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode - [arm64,armhf] i2c: bcm2835: Avoid possible NULL ptr dereference - efi/fb: Correct PCI_STD_RESOURCE_END usage - ipv6: set rt6i_protocol properly in the route when it is installed - [x86] platform: acer-wmi: setup accelerometer when ACPI device was found - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist - IB/core: Fix the validations of a multicast LID in attach or detach operations - rxe: Fix a sleep-in-atomic bug in post_one_send - nvme-pci: fix CMB sysfs file removal in reset path - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. - net/mlx5: Fix command completion after timeout access invalid structure - tipc: Fix tipc_sk_reinit handling of -EAGAIN - tipc: fix a race condition of releasing subscriber object - bnxt_en: Don't use rtnl lock to protect link change logic in workqueue. - [armhf] dts: bcm283x: Reserve first page for firmware - btrfs: fiemap: Cache and merge fiemap extent before submit it to user - [arm64] reset: hi6220: Set module license so that it can be loaded - [x86] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest - mac80211: fix TX aggregation start/stop callback race - libata: fix error checking in in ata_parse_force_one() - [armhf] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization - [i386] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC - [armhf] gpu: ipu-v3: Fix CSI selection for VDIC - [arm64,armhf] net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value - Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io - ufs: we need to sync inode before freeing it - net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare - ip6_tunnel: Correct tos value in collect_md mode - net/mlx5: Fix driver load error flow when firmware is stuck - perf evsel: Fix probing of precise_ip level for default cycles event - perf probe: Fix probe definition for inlined functions - net/mlx5: Fix health work queue spin lock to IRQ safe - [armhf] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq - [armhf] clk: samsung: Fix m2m scaler clock on Exynos542x - rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp - qed: Warn PTT usage by wrong hw-function - ocfs2: fix deadlock caused by recursive locking in xattr - net: cdc_ncm: GetNtbFormat endian fix - sctp: use right member as the param of list_for_each_entry - ALSA: hda - No loopback on ALC299 codec - ath10k: convert warning about non-existent OTP board id to debug message - ipv6: fix cleanup ordering for ip6_mr failure - IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush - IB/rxe: put the pool on allocation failure - nbd: only set MSG_MORE when we have more to send - mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' - IB/mlx5: Avoid passing an invalid QP type to firmware - scsi: qla2xxx: Avoid double completion of abort command - drm: bochs: Don't remove uninitialized fbdev framebuffer - i40e: avoid NVM acquire deadlock during NVM update - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" - Btrfs: incremental send, fix invalid memory access - [arm64] drm/msm: Fix possible null dereference on failure of get_pages() - l2tp: remove configurable payload offset - macsec: fix memory leaks when skb_to_sgvec fails - perf/core: Fix locking for children siblings group read - cifs: Use ULL suffix for 64-bit constant - futex: futex_wake_op, do not fail on invalid op - ALSA: hda - Fix incorrect usage of IS_REACHABLE() - enic: do not overwrite error code - bonding: ratelimit failed speed/duplex update warning - nvmet: fix space padding in serial number - iio: buffer: fix the function signature to match implementation - [x86] paravirt: Fix some warning messages - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' - libertas: call into generic suspend code before turning off power - xhci: Fix USB3 NULL pointer dereference at logical disconnect. - [armhf] dts: imx53-qsb: disable 1.2GHz OPP - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() - rxrpc: Only take the rwind and mtu values from latest ACK - [x86] net: ena: fix NULL dereference due to untimely napi initialization - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() - mtd: spi-nor: Add support for is25wp series chips - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" - bridge: do not add port to router list when receives query with source 0.0.0.0 - net: bridge: remove ipv6 zero address check in mcast queries - ipv6: mcast: fix a use-after-free in inet6_mc_check - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called - llc: set SOCK_RCU_FREE in llc_sap_add_socket() - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs - net: sched: gred: pass the right attribute to gred_change_table_def() - net: socket: fix a missing-check bug - [arm64,armhf] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules - net: udp: fix handling of CHECKSUM_COMPLETE packets - r8169: fix NAPI handling under high load - sctp: fix race on sctp_id2asoc - vhost: Fix Spectre V1 vulnerability - ethtool: fix a privilege escalation bug - bonding: fix length of actor system - net: drop skb on failure in ip_check_defrag() - net: fix pskb_trim_rcsum_slow() with odd trim offset - rtnetlink: Disallow FDB configuration for non-Ethernet device - ip6_tunnel: Fix encapsulation layout - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned - ahci: don't ignore result code of ahci_reset_controller() - xfs: truncate transaction does not modify the inobt - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) - ptp: fix Spectre v1 vulnerability - drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl - RDMA/ucma: Fix Spectre v1 vulnerability - IB/ucm: Fix Spectre v1 vulnerability - cdc-acm: correct counting of UART states in serial state notification - usb: gadget: storage: Fix Spectre v1 vulnerability - USB: fix the usbfs flag sanitization for control transfers - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM - sched/fair: Fix throttle_list starvation with low CFS quota - [x86] percpu: Fix this_cpu_read() - [x86] time: Correct the attribute on jiffies' definition - posix-timers: Sanitize overrun handling (CVE-2018-12896) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.137 - bcache: fix miss key refill->end in writeback - jffs2: free jffs2_sb_info through jffs2_kill_sb() - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges - [arm64] ipmi: Fix timer race with module unload - [hppa/parisc] Fix address in HPMC IVA - [hppa/parisc] Fix map_pages() to not overwrite existing pte entries - ALSA: hda - Add quirk for ASUS G751 laptop - ALSA: hda - Fix headphone pin config for ASUS G751 - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops - [x86] speculation: Enable cross-hyperthread spectre v2 STIBP mitigation - [x86] corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided - [x86] speculation: Support Enhanced IBRS on future CPUs - Revert "perf tools: Fix PMU term format max value calculation" - xfrm: policy: use hlist rcu variants on insert - sched/fair: Fix the min_vruntime update logic in dequeue_entity() - perf cpu_map: Align cpu map synthesized events properly. - [x86] fpu: Remove second definition of fpu in __fpu__restore_sig() - net: qla3xxx: Remove overflowing shift statement - locking/lockdep: Fix debug_locks off performance problem - tun: Consistently configure generic netdev params via rtnetlink - [s390x] sthyi: Fix machine name validity indication - [armhf] hwmon: (pwm-fan) Set fan speed to 0 on suspend - perf tools: Free temporary 'sys' string in read_event_files() - perf tools: Cleanup trace-event-info 'tdata' leak - perf strbuf: Match va_{add,copy} with va_end - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 - iwlwifi: pcie: avoid empty free RB queue - [i386] x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC - [arm64,armhf] cpufreq: dt: Try freeing static OPPs only if we have added them - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth - [arm64] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux - brcmfmac: fix for proper support of 160MHz bandwidth - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers - [arm64] pinctrl: qcom: spmi-mpp: Fix drive strength setting - [arm64] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant - [arm64] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant - ixgbevf: VF2VF TCP RSS - ath10k: schedule hardware restart if WMI command times out - cgroup, netclassid: add a preemption point to write_classid - scsi: esp_scsi: Track residual for PIO transfers - scsi: megaraid_sas: fix a missing-check bug - RDMA/core: Do not expose unsupported counters - IB/ipoib: Clear IPCB before icmp_send - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated - [x86] VMCI: Resource wildcard match fixed - ext4: fix argument checking in EXT4_IOC_MOVE_EXT - MD: fix invalid stored role for a disk - PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice - [arm64,armhf] usb: chipidea: Prevent unbalanced IRQ disable - [amd64] driver/dma/ioat: Call del_timer_sync() without holding prep_lock - uio: ensure class is registered before devices - scsi: lpfc: Correct soft lockup when running mds diagnostics - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init - ALSA: hda: Check the non-cached stream buffers more explicitly - [armhf] dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes - [armhf] dts: exynos: Add missing cooling device properties for CPUs - [armhf] dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings - [armhf] dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250 - xen-swiotlb: use actually allocated size on check physical continuous - [x86] tpm: Restore functionality to xen vtpm driver. - xen/blkfront: avoid NULL blkfront_info dereference on device removal - [x86] xen: fix race in xen_qlock_wait() - [x86] xen: make xen_qlock_wait() nestable - libertas: don't set URB_ZERO_PACKET on IN USB transfer - [x86] usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten - iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() - [x86] libnvdimm: Hold reference on parent while scheduling async init - [x86] ASoC: intel: skylake: Add missing break in skl_tplg_get_token() - jbd2: fix use after free in jbd2_log_do_checkpoint() - gfs2_meta: ->mount() can get NULL dev_name - ext4: initialize retries variable in ext4_da_write_inline_data_begin() - ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR - HID: hiddev: fix potential Spectre v1 - EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting - [amd64] EDAC, skx_edac: Fix logical channel intermediate decoding - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk - [ppc64el] signal/GenWQE: Fix sending of SIGKILL - crypto: lrw - Fix out-of bounds access on counter overflow - crypto: tcrypt - fix ghash-generic speed test - ima: fix showing large 'violations' or 'runtime_measurements_count' - hugetlbfs: dirty pages as they are added to pagecache - [armhf] w1: omap-hdq: fix missing bus unregister at removal - smb3: allow stats which track session and share reconnects to be reset - smb3: do not attempt cifs operation in smb3 query info error path - smb3: on kerberos mount if server doesn't specify auth type use krb5 - printk: Fix panic caused by passing log_buf_len to command line - genirq: Fix race on spurious interrupt detection - NFSv4.1: Fix the r/wsize checking - nfsd: Fix an Oops in free_session() - lockd: fix access beyond unterminated strings in prints - dm ioctl: harden copy_params()'s copy_from_user() from malicious users - [powerpc*] msi: Fix compile error on mpc83xx - [mips*] OCTEON: fix out of bounds array access on CN68XX - media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD - [x86] xen: fix xen_qlock_wait() - media: em28xx: use a default format if TRY_FMT fails - media: tvp5150: avoid going past array on v4l2_querymenu() - media: em28xx: fix input name for Terratec AV 350 - media: em28xx: make v4l2-compliance happier by starting sequence on zero - [arm64] lse: remove -fcall-used-x0 flag - rpmsg: smd: fix memory leak on channel create - Cramfs: fix abad comparison when wrap-arounds occur - [arm64,armhf] soc/tegra: pmc: Fix child-node lookup - btrfs: Handle owner mismatch gracefully when walking up tree - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock - btrfs: fix error handling in free_log_tree - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list - btrfs: don't attempt to trim devices that don't support it - btrfs: wait on caching when putting the bg cache - btrfs: reset max_extent_size on clear in a bitmap - btrfs: make sure we create all new block groups - Btrfs: fix wrong dentries after fsync of file that got its parent replaced - btrfs: qgroup: Dirty all qgroups before rescan - Btrfs: fix null pointer dereference on compressed write path error - btrfs: set max_extent_size properly - MD: fix invalid stored role for a disk - try2 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138 - [powerpc*] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() - tty: check name length in tty_find_polling_driver() - [powerpc*] nohash: fix undefined behaviour when testing page size support - [armhf] drm/omap: fix memory barrier bug in DMM driver - media: pci: cx23885: handle adding to list failure - [mips*] kexec: Mark CPU offline before disabling local IRQ - [powerpc*] boot: Ensure _zimage_start is a weak symbol - [mips*] PCI: Call pcie_bus_configure_settings() to set MPS/MRRS - media: tvp5150: fix width alignment during set_selection() - 9p locks: fix glock.client_id leak in do_lock - 9p: clear dangling pointers in p9stat_free - cdrom: fix improper type cast, which can leat to information leak. (CVE-2018-18710) - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters - scsi: qla2xxx: shutdown chip if reset fail - fuse: Fix use-after-free in fuse_dev_do_read() - fuse: Fix use-after-free in fuse_dev_do_write() - fuse: fix blocked_waitq wakeup - fuse: set FR_SENT while locked - mm: do not bug_on on incorrect length in __mm_populate() - e1000: avoid null pointer dereference on invalid stat type - e1000: fix race condition between e1000_down() and e1000_watchdog - bna: ethtool: Avoid reading past end of buffer - [hppa/parisc] Align os_hpmc_size on word boundary - [hppa/parisc] Fix HPMC handler by increasing size to multiple of 16 bytes - [hppa/parisc] Fix exported address of os_hpmc handler - [mips64el,mipsel] Loongson-3: Fix CPU UART irq delivery problem - [mips64le,mipsel] Loongson-3: Fix BRIDGE irq delivery problem - [armhf] clk: s2mps11: Fix matching when built as module and DT node contains compatible - [armhf] clk: rockchip: Fix static checker warning in rockchip_ddrclk_get_parent call - libceph: bump CEPH_MSG_MAX_DATA_LEN - Revert "ceph: fix dentry leak in splice_dentry()" - mach64: fix display corruption on big endian machines - mach64: fix image corruption due to reading accelerator registers - [arm64] reset: hisilicon: fix potential NULL pointer dereference - vhost/scsi: truncate T10 PI iov_iter to prot_bytes - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings - netfilter: conntrack: fix calculation of next bucket number in early_drop - termios, tty/tty_baudrate.c: fix buffer overrun - Btrfs: fix cur_offset in the error case for nocow - Btrfs: fix data corruption due to cloning of eof block - clockevents/drivers/i8253: Add support for PIT shutdown quirk - ext4: add missing brelse() update_backups()'s error path - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path - ext4: avoid potential extra brelse in setup_new_flex_group_blocks() - ext4: fix possible inode leak in the retry loop of ext4_resize_fs() - ext4: avoid buffer leak in ext4_orphan_add() after prior errors - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing - ext4: avoid possible double brelse() in add_new_gdb() on error path - ext4: fix possible leak of sbi->s_group_desc_leak in error path - ext4: fix possible leak of s_journal_flag_rwsem in error path - ext4: release bs.bh before re-using in ext4_xattr_block_find() - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path - ext4: fix buffer leak in __ext4_read_dirblock() on error path - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts - mount: Prevent MNT_DETACH from disconnecting locked mounts - sunrpc: correct the computation for page_ptr when truncating - nfsd: COPY and CLONE operations require the saved filehandle to be set - rtc: hctosys: Add missing range error reporting - fuse: fix use-after-free in fuse_direct_IO() - fuse: fix leaked notify reply - configfs: replace strncpy with memcpy - lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! - mm: migration: fix migration of huge PMD shared pages - [armhf] drm/rockchip: Allow driver to be shutdown on reboot/kexec - drm/dp_mst: Check if primary mstb is null - [x86] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values - [x86] drm/i915/execlists: Force write serialisation into context image vs execution - [arm64] KVM: Fix caching of host MDCR_EL2 value https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.139 - flow_dissector: do not dissect l4 ports for fragments - ip_tunnel: don't force DF when MTU is locked - net-gro: reset skb->pkt_type in napi_reuse_skb() - sctp: not allow to set asoc prsctp_enable by sockopt - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths - usbnet: smsc95xx: disable carrier check while suspending - inet: frags: better deal with smp races - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF - kbuild: Add better clang cross build support - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS - kbuild: Consolidate header generation from ASM offset information - kbuild: consolidate redundant sed script ASM offset generation - kbuild: fix asm-offset generation to work with clang - kbuild: drop -Wno-unknown-warning-option from clang options - kbuild, LLVMLinux: Add -Werror to cc-option to support clang - kbuild: use -Oz instead of -Os when using clang - kbuild: Add support to generate LLVM assembly files - modules: mark __inittest/__exittest as __maybe_unused - [x86] kbuild: Use cc-option to enable -falign-{jumps/loops} - [amd64] crypto, x86: aesni - fix token pasting for clang - kbuild: Add __cc-option macro - [x86] build: Use __cc-option for boot code compiler options - [x86] build: Specify stack alignment for clang - kbuild: clang: Disable 'address-of-packed-member' warning - [arm64] crypto: arm64/sha - avoid non-standard inline asm tricks - [x86] boot: #undef memcpy() et al in string.c - [arm64] efi/libstub/arm64: Use hidden attribute for struct screen_info reference - [arm64] efi/libstub/arm64: Force 'hidden' visibility for section markers - efi/libstub: Preserve .debug sections after absolute relocation check - [arm64] efi/libstub/arm64: Set -fpie when building the EFI stub - [x86] build: Fix stack alignment for CLang - [x86] build: Use cc-option to validate stack alignment parameter - Kbuild: use -fshort-wchar globally - [arm64] uaccess: suppress spurious clang warning - [armel,armhf] add more CPU part numbers for Cortex and Brahma B15 CPUs - [armel,armhf] bugs: prepare processor bug infrastructure - [armel,armhf] bugs: hook processor bug checking into SMP and suspend paths - [armel,armhf] bugs: add support for per-processor bug checking - [armel,armhf] spectre: add Kconfig symbol for CPUs vulnerable to Spectre - [armel,armhf] spectre-v2: harden branch predictor on context switches - [armel,armhf] spectre-v2: add Cortex A8 and A15 validation of the IBE bit - [armel,armhf] spectre-v2: harden user aborts in kernel space - [armel,armhf] spectre-v2: add firmware based hardening - [armel,armhf] spectre-v2: warn about incorrect context switching functions - [armel,armhf] KVM: invalidate BTB on guest exit for Cortex-A12/A17 - [armel,armhf] KVM: invalidate icache on guest exit for Cortex-A15 - [armel,armhf] spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 - [armel,armhf] KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling - [armel,armhf] KVM: report support for SMCCC_ARCH_WORKAROUND_1 - [armel,armhf] spectre-v1: add speculation barrier (csdb) macros - [armel,armhf] spectre-v1: add array_index_mask_nospec() implementation - [armel,armhf] spectre-v1: fix syscall entry - [armel,armhf] signal: copy registers using __copy_from_user() - [armel,armhf] vfp: use __copy_from_user() when restoring VFP state - [armel,armhf] oabi-compat: copy semops using __copy_from_user() - [armel,armhf] use __inttype() in get_user() - [armel,armhf] spectre-v1: use get_user() for __get_user() - [armel,armhf] spectre-v1: mitigate user accesses https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.140 - Revert "x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation" - Revert "ipv6: set rt6i_protocol properly in the route when it is installed" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.141 - cifs: don't dereference smb_file_target before null check - reiserfs: propagate errors from fill_with_dentries() properly - hfs: prevent btree data loss on root split - hfsplus: prevent btree data loss on root split - drm/edid: Add 6 bpc quirk for BOE panel. - clk: fixed-rate: fix of_node_get-put imbalance - fs/exofs: fix potential memory leak in mount option parsing - [armhf] clk: samsung: exynos5420: Enable PERIS clocks for suspend - [x86] platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 - [arm64] percpu: Initialize ret in the default case - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() - netfilter: xt_IDLETIMER: add sysfs filename checking routine - [s390x] qeth: fix HiperSockets sniffer - [ppc64el] hwmon: (ibmpowernv) Remove bogus __init annotations - clk: fixed-factor: fix of_node_get-put imbalance - qed: Fix memory/entry leak in qed_init_sp_request() - qed: Fix blocking/unlimited SPQ entries leak - zram: close udev startup race condition as default groups - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() - gfs2: Put bitmap buffers in put_super - btrfs: Enhance btrfs_trim_fs function to handle error better - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem - btrfs: fix pinned underflow after transaction aborted - Revert "media: videobuf2-core: don't call memop 'finish' when queueing" - Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" - media: v4l: event: Add subscription to list before calling "add" operation - uio: Fix an Oops on load - usb: cdc-acm: add entry for Hiro (Conexant) modem - USB: quirks: Add no-lpm quirk for Raydium touchscreens - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB - USB: misc: appledisplay: add 20" Apple Cinema Display - [x86] ACPI / platform: Add SMB0001 HID to forbidden_id_list - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges - libceph: fall back to sendmsg for slab pages https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.142 - usb: core: Fix hub port connection events lost - [arm64,armhf] usb: dwc3: core: Clean up ULPI device - usb: xhci: fix timeout for transition from RExit to U0 - MAINTAINERS: Add Sasha as a stable branch maintainer - gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path - iwlwifi: mvm: support sta_statistics() even on older firmware - iwlwifi: mvm: fix regulatory domain update when the firmware starts - brcmfmac: fix reporting support for 160 MHz channels - tools/power/cpupower: fix compilation with STATIC=true - v9fs_dir_readdir: fix double-free on p9stat_read error - selinux: Add __GFP_NOWARN to allocation at str_read() - bfs: add sanity check at bfs_fill_super() - sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd - llc: do not use sk_eat_skb() - mm: don't warn about large allocations for slab - drm/ast: change resolution may cause screen blurred - drm/ast: fixed cursor may disappear sometimes - drm/ast: Remove existing framebuffers before loading driver - can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length - can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds - can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb - IB/core: Fix for core panic - [amd64] IB/hfi1: Eliminate races in the SDMA send error path - usb: xhci: Prevent bus suspend if a port connect change or polling state is detected - [arm64] pinctrl: meson: fix pinconf bias disable - [armhf] cpufreq: imx6q: add return value check for voltage scale - floppy: fix race condition in __floppy_read_block_0() - [powerpc*] io: Fix the IO workarounds code to work with Radix - [x86] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs - SUNRPC: Fix a bogus get/put in generic_key_to_expire() - [powerpc*] numa: Suppress "VPHN is not supported" messages - [arm64,armhf] efi/arm: Revert deferred unmap of early memmap mapping - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset - of: add helper to lookup compatible child node - ath10k: fix kernel panic due to race in accessing arvif list - Input: xpad - add product ID for Xbox One S pad - Input: xpad - fix Xbox One rumble stopping after 2.5 secs - Input: xpad - correctly sort vendor id's - Input: xpad - move reporting xbox one home button to common function - Input: xpad - simplify error condition in init_output - Input: xpad - don't depend on endpoint order - Input: xpad - fix stuck mode button on Xbox One S pad - Input: xpad - restore LED state after device resume - Input: xpad - support some quirky Xbox One pads - Input: xpad - sort supported devices by USB ID - Input: xpad - sync supported devices with xboxdrv - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth - Input: xpad - sync supported devices with 360Controller - Input: xpad - sync supported devices with XBCD - Input: xpad - constify usb_device_id - Input: xpad - fix PowerA init quirk for some gamepad models - Input: xpad - validate USB endpoint type during probe - Input: xpad - add support for PDP Xbox One controllers - Input: xpad - add PDP device id 0x02a4 - Input: xpad - fix some coding style issues - Input: xpad - avoid using __set_bit() for capabilities - Input: xpad - add GPD Win 2 Controller USB IDs - Input: xpad - fix GPD Win 2 controller name - Input: xpad - add support for Xbox1 PDP Camo series gamepad - mwifiex: prevent register accesses after host is sleeping - mwifiex: report error to PCIe for suspend failure - mwifiex: Fix NULL pointer dereference in skb_dequeue() - mwifiex: fix p2p device doesn't find in scan problem - scsi: ufs: fix bugs related to null pointer access and array size - scsi: ufshcd: Fix race between clk scaling and ungate work - scsi: ufs: fix race between clock gating and devfreq scaling work - scsi: ufshcd: release resources if probe fails - tty: wipe buffer. - tty: wipe buffer if not echoing data - usb: xhci: fix uninitialized completion when USB3 port got wrong status - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used - namei: allow restricted O_CREAT of FIFOs and regular files - lan78xx: Read MAC address from DT if present - [s390x] mm: Check for valid vma before zapping in gmap_discard - net: ieee802154: 6lowpan: fix frag reassembly - Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC" - ima: always measure and audit files in policy - ima: re-introduce own integrity cache lock - ima: re-initialize iint->atomic_flags https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.143 - mm/huge_memory: rename freeze_page() to unmap_page() - mm/huge_memory.c: reorder operations in __split_huge_page_tail() - mm/huge_memory: splitting set mapping+index before unfreeze - mm/huge_memory: fix lockdep complaint on 32-bit i_size_read() - mm/khugepaged: collapse_shmem() stop if punched or truncated - shmem: shmem_charge: verify max_block is not exceeded before inode update - shmem: introduce shmem_inode_acct_block - mm/khugepaged: fix crashes due to misaccounted holes - mm/khugepaged: collapse_shmem() remember to clear holes - mm/khugepaged: minor reorderings in collapse_shmem() - mm/khugepaged: collapse_shmem() without freezing new_page - mm/khugepaged: collapse_shmem() do not crash on Compound - media: em28xx: Fix use-after-free when disconnecting - [arm64,armhf] Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" - net: skb_scrub_packet(): Scrub offload_fwd_mark - [s390x] qeth: fix length check in SNMP processing - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 - [x86] kvm: mmu: Fix race in emulated page table writes - [x86] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb - [x86] KVM: Fix scan ioapic use-before-initialization (CVE-2018-19407) - Btrfs: ensure path name is null terminated at btrfs_control_ioctl - [x86] perf/x86/intel: Move branch tracing setup to the Intel-specific source file - [x86] perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() - fs: fix lost error code in dio_complete - [i386] ALSA: wss: Fix invalid snd_free_pages() at error path - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write - ALSA: control: Fix race between adding and removing a user element - [sparc] ALSA: sparc: Fix invalid snd_free_pages() at error path - ext2: fix potential use after free - btrfs: release metadata before running delayed refs - USB: usb-storage: Add new IDs to ums-realtek - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series - Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" - mm: use swp_offset as key in shmem_replace_page() - [x86] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() - [amd64] misc: mic/scif: fix copy-paste error in scif_create_remote_lookup - [armhf] bus: arm-cci: remove unnecessary unreachable() - [armhf] trusted_foundations: do not use naked function - [x86] efi/libstub: Make file I/O chunking x86-specific https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.144 - kernfs: Replace strncpy with memcpy - ip_tunnel: Fix name string concatenate in __ip_tunnel_create() - scsi: bfa: convert to strlcpy/strlcat - [x86] staging: rts5208: fix gcc-8 logic error warning - [amd64] x86/power/64: Use char arrays for asm function names - iser: set sector for ambiguous mr status errors - uprobes: Fix handle_swbp() vs. unregister() + register() race once more - [mips*] fix mips_get_syscall_arg o32 check - IB/mlx5: Avoid load failure due to unknown link width - drm/ast: Fix incorrect free on ioregs - drm: set is_master to 0 upon drm_new_set_master() failure - scsi: scsi_devinfo: cleanly zero-pad devinfo strings - scsi: csiostor: Avoid content leaks and casts - [x86] svm: Add mutex_lock to protect apic_access_page_done on AMD systems - Input: xpad - quirk all PDP Xbox One gamepads - Input: elan_i2c - add ELAN0620 to the ACPI table - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR - Input: elan_i2c - add support for ELAN0621 touchpad - btrfs: Always try all copies when reading extent buffers - Btrfs: fix use-after-free when dumping free space - udf: Allow mounting volumes with incorrect identification strings - [arm64,armhf] reset: make optional functions really optional - [arm64,armhf] reset: core: fix reset_control_put - reset: fix optional reset_control_get stubs to return NULL - [arm64,armhf] reset: add exported __reset_control_get, return NULL if optional - [arm64,armhf] reset: make device_reset_optional() really optional - reset: remove remaining WARN_ON() in - mm: cleancache: fix corruption on missed inode invalidation (CVE-2018-16862) - net: qed: use correct strncpy() size - tipc: use destination length for copy string - libceph: drop len argument of *verify_authorizer_reply() - libceph: no need to drop con->mutex for ->get_authorizer() - libceph: store ceph_auth_handshake pointer in ceph_connection - libceph: factor out __prepare_write_connect() - libceph: factor out __ceph_x_decrypt() - libceph: factor out encrypt_authorizer() - libceph: add authorizer challenge (CVE-2018-1128) - libceph: implement CEPHX_V2 calculation mode (CVE-2018-1129) - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() - libceph: check authorizer reply/challenge length before reading - bpf: Prevent memory disambiguation attack (CVE-2018-3639) - wil6210: missing length check in wmi_set_ie (CVE-2018-5848) - btrfs: validate type when reading a chunk (CVE-2018-14611) - btrfs: Verify that every chunk has corresponding block group at mount time (CVE-2018-14612) - btrfs: Refactor check_leaf function for later expansion - btrfs: Check if item pointer overlaps with the item itself - btrfs: Add sanity check for EXTENT_DATA when reading out leaf - btrfs: Add checker for EXTENT_CSUM - btrfs: Move leaf and node validation checker to tree-checker.c - btrfs: struct-funcs, constify readers - btrfs: tree-checker: Enhance btrfs_check_node output - btrfs: tree-checker: Fix false panic for sanity test - btrfs: tree-checker: Add checker for dir item - btrfs: tree-checker: use %zu format string for size_t - btrfs: tree-check: reduce stack consumption in check_dir_item - btrfs: tree-checker: Verify block_group_item (CVE-2018-14613) - btrfs: tree-checker: Detect invalid and empty essential trees (CVE-2018-14612) - btrfs: Check that each block group has corresponding chunk at mount time (CVE-2018-14610) - btrfs: tree-checker: Check level for leaves and nodes - btrfs: tree-checker: Fix misleading group system information - f2fs: fix race condition in between free nid allocator/initializer (CVE-2017-18249) - f2fs: detect wrong layout - f2fs: return error during fill_super - f2fs: check blkaddr more accuratly before issue a bio - f2fs: sanity check on sit entry - f2fs: enhance sanity_check_raw_super() to avoid potential overflow - f2fs: clean up with is_valid_blkaddr() - f2fs: introduce and spread verify_blkaddr - f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100) - f2fs: fix to do sanity check with user_block_count (CVE-2018-13097) - f2fs: Add sanity_check_inode() function - f2fs: fix to do sanity check with node footer and iblocks (CVE-2018-13096) - f2fs: fix to do sanity check with block address in main area - f2fs: fix missing up_read - f2fs: fix to do sanity check with block address in main area v2 (CVE-2018-14616) - f2fs: free meta pages if sanity check for ckpt is failed - f2fs: fix to do sanity check with cp_pack_start_sum (CVE-2018-14614) - xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE (CVE-2018-18690) - hugetlbfs: fix bug in pgoff overflow checking . [ Ben Hutchings ] * drivers/net/ethernet: Ignore ABI changes (fixes FTBFS on arm64; Closes: #914556) * libcpupower: Hide private function and drop it from .symbols file * Revert "elevator: fix truncation of icq_cache_name" to avoid ABI change * reset: Avoid ABI changes in 4.9.144 * esp_scsi: Ignore ABI changes * snd-hda: Ignore ABI changes * posix-timers: Avoid ABI change in 4.9.136 * sched: Avoid ABI change in 4.9.136 * [armel,armhf] Avoid ABI change in 4.9.139 . [ Noah Meyerhans ] * [arm64] PCI: Enable HOTPLUG_PCI and HOTPLUG_PCI_ACPI (Closes: #915231) * drivers/net/ethernet/amazon: Backport ENA 2.0.2 network driver (Closes: #915229) . [ Salvatore Bonaccorso ] * [rt] Refresh 0159-genirq-Allow-disabling-of-softirq-processing-in-irq-.patch for context changes in 4.9.137 * Refresh mips-loongson-3-support-irq_set_affinity-in-i8259-ch.patch for context changes in 4.9.138 * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in 4.9.139 * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes in 4.9.139 * scripts/mod: Update modpost wrapper for 4.9.139. Upstream commit cf0c3e68aa81 "kbuild: fix asm-offset generation to work with clang" changed the macros used by devicetable-offsets.c. Copy the new sed code from upstream scripts/Makefile.lib. Originates from the same change for 4.12 done by Ben Hutchings. * Refresh media-v4l-avoid-abi-change-in-4.9.131.patch for context changes in 4.9.141 * Refresh fs-enable-link-security-restrictions-by-default.patch for context changes in 4.9.142 * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes in 4.9.142 . [ Michal Simek ] * [arm64] Enable Xilinx ZynqMP SoC and drivers linux (4.9.135-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.131 - crypto: skcipher - Fix -Wstringop-truncation warnings - tsl2550: fix lux1_input error in low light - [x86] vmci: type promotion bug in qp_host_get_user_memory() - [amd64] numa_emulation: Fix emulated-to-physical node mapping - [x86] staging: rts5208: fix missing error check on call to rtsx_write_register - uwb: hwa-rc: fix memory leak at probe - [arm64,armhf] power: vexpress: fix corruption in notifier registration - [amd64] iommu/amd: make sure TLB to be flushed before IOVA freed - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 - USB: serial: kobil_sct: fix modem-status error handling - 6lowpan: iphc: reset mac_header after decompress to fix panic - [s390x] mm: correct allocate_pgste proc_handler callback - power: remove possible deadlock when unregistering power_supply - IB/core: type promotion bug in rdma_rw_init_one_mr() - [powerpc*] kdump: Handle crashkernel memory reservation failure - [x86] tsc: Add missing header to tsc_msr.c - [armhf] hwmod: RTC: Don't assume lock/unlock will be called with irq enabled - [x86] entry/64: Add two more instruction suffixes - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size - scsi: klist: Make it safe to use klists in atomic context - [powerpc/powerpc64,ppc64*] scsi: ibmvscsi: Improve strings handling - usb: wusbcore: security: cast sizeof to int for comparison - [ppc64el] powerpc/powernv/ioda2: Reduce upper limit for DMA window size - alarmtimer: Prevent overflow for relative nanosleep (CVE-2018-13053) - [s390x] extmem: fix gcc 8 stringop-overflow warning - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data - drivers/tty: add error handling for pcmcia_loop_config - [x86] media: tm6000: add error handling for dvb_register_adapter - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() - [arm64,armhf] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c - HID: hid-ntrig: add error handling for sysfs_create_group - [x86] perf/x86/intel/lbr: Fix incomplete LBR call stack - scsi: bnx2i: add error handling for ioremap_nocache - scsi: megaraid_sas: Update controller info during resume - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs - nfsd: fix corrupted reply to badly ordered compound - EDAC: Fix memleak in module init error path - [armhf] dts: dra7: fix DCAN node addresses - [arm64] spi: tegra20-slink: explicitly enable/disable clock - [arm*] regulator: fix crash caused by null driver data - USB: fix error handling in usb_driver_claim_interface() - USB: handle NULL config in usb_find_alt_setting() - slub: make ->cpu_partial unsigned int - media: uvcvideo: Support realtek's UVC 1.5 device - USB: usbdevfs: sanitize flags more - USB: usbdevfs: restore warning for nonsensical flags - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()" - USB: remove LPM management from usb_driver_claim_interface() - Input: elantech - enable middle button of touchpad on ThinkPad P72 - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop - [amd64] IB/hfi1: Invalid user input can result in crash - [amd64] IB/hfi1: Fix context recovery when PBC has an UnsupportedVL - scsi: target: iscsi: Use bin2hex instead of a re-implementation - [armhf] serial: imx: restore handshaking irq for imx1 - [amd64] IB/hfi1: Fix SL array bounds check - qed: Wait for ready indication before rereading the shmem - qed: Wait for MCP halt and resume commands to take place - [arm*] thermal: of-thermal: disable passive polling when thermal zone is disabled - [arm64] net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES - [arm64] net: hns: fix skb->truesize underestimation - e1000: check on netif_running() before calling e1000_up() - e1000: ensure to free old tx/rx rings in set_ringparam() - hwmon: (adt7475) Make adt7475_read_word() return errors - [x86] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode - [arm*] smccc-1.1: Make return values unsigned long - [arm*] smccc-1.1: Handle function result as parameters - [x86] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus - media: v4l: event: Prevent freeing event subscriptions while accessed https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.132 - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace - time: Introduce jiffies64_to_nsecs() - mac80211: Run TXQ teardown code before de-registering interfaces - [ppc64el] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X - mac80211: mesh: fix HWMP sequence numbering to follow standard - [arm64] net: hns: add netif_carrier_off before change speed and duplex - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE - gpio: Fix crash due to registration race - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() - mac80211: fix a race between restart and CSA flows - mac80211: Fix station bandwidth setting after channel switch - mac80211: don't Tx a deauth frame if the AP forbade Tx - mac80211: shorten the IBSS debug messages - mm: madvise(MADV_DODUMP): allow hugetlbfs pages - HID: add support for Apple Magic Keyboards - HID: hid-saitek: Add device ID for RAT 7 Contagion - perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() - [ppc64el] perf probe powerpc: Ignore SyS symbols irrespective of endianness - RDMA/ucma: check fd type in ucma_migrate_id() - USB: yurex: Check for truncation in yurex_read() - nvmet-rdma: fix possible bogus dereference under heavy load - net/mlx5: Consider PCI domain in search for next dev - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS - dm raid: fix rebuild of specific devices by updating superblock - fs/cifs: suppress a string overflow warning - [x86] net: ena: fix driver when PAGE_SIZE == 64kB - [x86] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs - dm thin metadata: try to avoid ever aborting transactions - [arm64] jump_label.h: use asm_volatile_goto macro instead of "asm goto" - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED - [s390x] qeth: use vzalloc for QUERY OAT buffer - [s390x] qeth: don't dump past end of unknown HW header - cifs: read overflow in is_valid_oplock_break() - xen/manage: don't complain about an empty value in control/sysrq node - xen: avoid crash in disable_hotplug_cpu - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage - sysfs: Do not return POSIX ACL xattrs via listxattr - smb2: fix missing files in root share directory listing - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() - gpiolib: Free the last requested descriptor - proc: restrict kernel stack dumps to root (CVE-2018-17972) - ocfs2: fix locking for res->tracking and dlm->tracking_list - dm thin metadata: fix __udivdi3 undefined on 32-bit https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.133 - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly - [amd64] x86/vdso: Fix asm constraints on vDSO syscall fallbacks - [amd64] x86/vdso: Fix vDSO syscall fallback asm constraint regression - PCI: Reprogram bridge prefetch registers on resume - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys - PM / core: Clear the direct_complete flag on errors - dm cache metadata: ignore hints array being too small during resize - dm cache: fix resize crash if user doesn't reload cache table - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI - USB: serial: simple: add Motorola Tetra MTP6550 id - tty: Drop tty->count on tty_reopen() failure - cgroup: Fix deadlock in cpu hotplug path - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait - ath10k: fix kernel panic issue during pci probe - f2fs: fix invalid memory access - ucma: fix a use-after-free in ucma_resolve_ip() - ubifs: Check for name being NULL while mounting - ath10k: fix scan crash due to incorrect length calculation - ebtables: arpreply: Add the standard target sanity check - [x86] fpu: Remove use_eager_fpu() - [x86] fpu: Remove struct fpu::counter - Revert "perf: sync up x86/.../cpufeatures.h" - [x86] fpu: Finish excising 'eagerfpu' https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.134 - [armhf] mfd: omap-usb-host: Fix dts probe of children - scsi: iscsi: target: Don't use stack buffer for scatterlist - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() - sound: enable interrupt after dma buffer initialization - [arm64,armhf] stmmac: fix valid numbers of unicast filter entries - [x86] kvm/lapic: always disable MMIO interface in x2APIC mode - ext4: Fix error code in ext4_xattr_set_entry() - mm/vmstat.c: fix outdated vmstat_text - mach64: detect the dot clock divider correctly on sparc - [x86] i2c: i2c-scmi: fix for i2c_smbus_write_block_data - xhci: Don't print a warning when setting link state for disabled ports - bnxt_en: Fix TX timeout during netpoll. - bonding: avoid possible dead-lock - ip6_tunnel: be careful when accessing the inner header - ip_tunnel: be careful when accessing the inner header - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() - ipv6: take rcu lock in rawv6_send_hdrinc() - [armhf] net: dsa: bcm_sf2: Call setup during switch resume - ]arm64] net: hns: fix for unmapping problem when SMMU is on - net: ipv4: update fnhe_pmtu when first hop's MTU changes - net/ipv6: Display all addresses in output of /proc/net/if_inet6 - net/usb: cancel pending work when unbinding smsc75xx - qlcnic: fix Tx descriptor corruption on 82xx devices - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface - team: Forbid enslaving team device to itself - [armhf] net: dsa: bcm_sf2: Fix unbind ordering - [armhf] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 - tcp/dccp: fix lockdep issue when SYN is backlogged - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt - inet: frags: change inet_frags_init_net() return value - inet: frags: add a pointer to struct netns_frags - inet: frags: refactor ipfrag_init() - inet: frags: refactor ipv6_frag_init() - inet: frags: refactor lowpan_net_frag_init() - ipv6: export ip6 fragments sysctl to unprivileged users - rhashtable: add schedule points - inet: frags: use rhashtables for reassembly units - inet: frags: remove some helpers - inet: frags: get rif of inet_frag_evicting() - inet: frags: remove inet_frag_maybe_warn_overflow() - inet: frags: do not clone skb in ip_expire() - ipv6: frags: rewrite ip6_expire_frag_queue() - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB - ip: discard IPv4 datagrams with overlapping segments. - net: speed up skb_rbtree_purge() - net: modify skb_rbtree_purge to return the truesize of all purged skbs. - ipv6: defrag: drop non-last frags smaller than min mtu - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends - net: add rb_to_skb() and other rb tree helpers - ip: use rb trees for IP frag queue. - ip: add helpers to process in-order fragments faster. - ip: process in-order fragments efficiently - ip: frags: fix crash in ip_do_fragment() - ipv4: frags: precedence bug in ip_expire() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135 - media: af9035: prevent buffer overflow on write - batman-adv: Fix segfault when writing to throughput_override - batman-adv: Fix segfault when writing to sysfs elp_interval - batman-adv: Prevent duplicated nc_node entry - batman-adv: Prevent duplicated softif_vlan entry - batman-adv: Prevent duplicated global TT entry - batman-adv: Prevent duplicated tvlv handler - batman-adv: fix backbone_gw refcount on queue_work() failure - batman-adv: fix hardif_neigh refcount on queue_work() failure - [armhf] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs - [powerpc*/*64*] scsi: ibmvscsis: Fix a stringop-overflow warning - [powerpc*/*64*] scsi: ibmvscsis: Ensure partition name is properly NUL terminated - [arm64] drm: mali-dp: Call drm_crtc_vblank_reset on device init - scsi: sd: don't crash the host on invalid commands - net/mlx4: Use cpumask_available for eq->affinity_mask - [powerpc*] tm: Fix userspace r13 corruption - [powerpc*] tm: Avoid possible userspace r1 corruption on reclaim - [amd64] iommu/amd: Return devid as alias for ACPI HID devices - mremap: properly flush TLB before releasing the page (CVE-2018-18281) - mm: Preserve _PAGE_DEVMAP across mprotect() calls - netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info - HID: quirks: fix support for Apple Magic Keyboards - usb: gadget: serial: fix oops when data rx'd after close - sched/cputime: Convert kcpustat to nsecs - sched/cputime: Increment kcpustat directly on irqtime account - sched/cputime: Fix ksoftirqd cputime accounting regression - [x86] HV: properly delay KVP packets when negotiation is in progress . [ Ben Hutchings ] * Resolve ABI changes caused by upstream fix for CVE-2018-5391: - Revert "inet: frags: fix ip6frag_low_thresh boundary" - Revert "inet: frags: reorganize struct netns_frags" - Revert "rhashtable: reorganize struct rhashtable layout" - Revert "inet: frags: break the 2GB limit for frags storage" - inet: frags: Avoid ABI change in 4.9.134 - sk_buff: Avoid ABI change in 4.9.134 - snmp: Remove the ReasmOverlaps statistic - ipv6: Ignore ABI changes in fragment reassembly functions * [x86] fpu: Avoid ABI change in 4.9.133 * power: Avoid ABI change in 4.9.131 * slub: Avoid ABI change in 4.9.131 * media: v4l: Avoid ABI change in 4.9.131 * netdev: Hide netdev_notifier_info_ext from modules * [x86] Revert "x86/mm: Expand static page table for fixmap space" linux-igd (1.0+cvs20070630-5+deb9u1) stretch; urgency=medium . * QA upload. * Set maintainer to the QA group. * Make the init script require $network; patch by Nye Liu (Closes: #885826) lttng-modules (2.9.0-1+deb9u1) stable; urgency=medium . * [c3d8eab] Stretch gbp branch config * [ee40323] Fix build on linux-rt 4.9 kernels. (Closes: #864404) * [b20f74a] Fix build on >= 4.9.0-3 kernels (Closes: #889901) mistral (3.0.0-4+deb9u1) stretch; urgency=medium . * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files, applied upstream patch: remove extra information from std.ssh action. (Closes: #912714). monkeysign (2.2.3+deb9u1) stretch; urgency=medium . * upload to Debian stable mpqc (2.3.1-18+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport the sc-libtool fix from 2.3.1-19. . [ Michael Banck ] * debian/libsc-dev.install: Install sc-libtool as well, thanks to Hideki Yamane (closes: #873719). mupdf (1.9a+ds1-4+deb9u4) stretch-security; urgency=high . * Fix CVE-2017-17866, CVE-2018-1000037, CVE-2018-1000040, CVE-2018-5686, CVE-2018-6187, and CVE-2018-6192 (Closes: #885120, #887130, #888464, #888487) netatalk (2.2.5-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Unauthenticated remote code execution in Netatalk (CVE-2018-1160) nginx (1.10.3-1+deb9u2) stretch-security; urgency=high . * Backport http2_max_requests directive needed for CVE-2018-16844 mitigation * Backport upstream fixes for 3 CVEs (Closes: #913090) + CVE-2018-16843 Excessive memory usage in HTTP/2 + CVE-2018-16844 Excessive CPU usage in HTTP/2 This change limits the maximum allowed number of idle state switches to 10 * http2_max_requests (i.e., 10000 by default). This limits possible CPU usage in one connection, and also imposes a limit on the maximum lifetime of a connection + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module nvidia-graphics-drivers (390.87-8~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. . nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. . nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. . nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. . nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. . nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". . nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to unsupported relocations. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. . nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. - Fixed a bug that caused kwin OpenGL compositing to crash when launching certain OpenGL applications. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. . nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. . nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) . nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. * (Closes: #884917) . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) . nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Fixed intermittent hangs of fullscreen Vulkan applications when focused away (e.g., by using the alt-tab key combination) on non-composited desktops. - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112, #902375) . nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. . nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. . nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. (Closes: #894338) https://nvidia.custhelp.com/app/answers/detail/a_id/4649 - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. . nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." . [ Andreas Beckmann ] * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. . nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. . nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. * (Closes: #872988) . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. . nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the Volta GPUs (VDPAU feature set I), e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. . nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4 (unstable), 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build for Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx short lived branch. . nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. . nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). (Closes: #881164) - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in NVIDIA's license, which warns that the drivers are licensed for usage with NVIDIA hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. nvidia-graphics-drivers (390.87-8~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. . nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. * Drop versioned constraints that are satisfied in jessie. nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. * Drop versioned constraints that are satisfied in jessie. nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . [ Andreas Beckmann ] * Switch to debhelper-compat (= 12). nvidia-graphics-drivers (390.87-6~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . [ Andreas Beckmann ] * Switch to debhelper-compat (= 12). . nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. nvidia-graphics-drivers (390.87-4~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. . nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Switch to debhelper-compat (= 11). nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Switch to debhelper-compat (= 11). nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". nvidia-graphics-drivers (390.87-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". . nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to unsupported relocations. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to mismatching symvers. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. nvidia-graphics-drivers (390.77-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Use vulkan from stretch-backports. . nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. . nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) nvidia-graphics-drivers (390.67-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Use libglvnd and MESA from stretch-backports. . nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) . nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) . nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Fixed intermittent hangs of fullscreen Vulkan applications when focused away (e.g., by using the alt-tab key combination) on non-composited desktops. - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112) . nvidia-graphics-drivers (390.48-4) UNRELEASED; urgency=medium . * Stop building lib*-glvnd-nvidia, now built from the 390xx legacy driver. * Switch to debhelper compat level 11. . nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Andreas Beckmann ] * Stop building lib*-glvnd-nvidia, now built from the 390xx legacy driver. * Switch to debhelper compat level 11. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112) nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. nvidia-graphics-drivers (390.48-2~bpo9+3) stretch-backports; urgency=medium . * Add Conflicts against glvnd-aware MESA >= 17 from stretch-backports. * Fix some upgrade issues from older versions in stretch. nvidia-graphics-drivers (390.48-2~bpo9+2) stretch-backports; urgency=medium . * Disable alternative dependencies and add Conflicts against libglvnd from stretch-backports. nvidia-graphics-drivers (390.48-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. . nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. . nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." . [ Andreas Beckmann ] * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. . nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. . nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. . nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the Volta GPUs (VDPAU feature set I), e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. . nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4 (unstable), 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx short lived branch. . nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. . nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). (Closes: #881164) - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in NVIDIA's license, which warns that the drivers are licensed for usage with NVIDIA hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. . nvidia-graphics-drivers (384.130-1) stretch; urgency=medium . * New upstream long lived branch release 384.130 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Improved compatibility with recent Linux kernels. - Fixed a string concatenation bug that caused libGL to accidentally try to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases where /tmp isn't accessible. (Closes: #888028) - Increased the version numbers of the GLVND libGL, libGLESv1_CM, libGLESv2, and libEGL libraries, to prevent concurrently installed non-GLVND libraries from taking precedence in the dynamic linker cache. * New upstream release 340 series. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Luca Boccassi ] * Install the renamed GLVND libraries and add SONAME symlinks. . [ Andreas Beckmann ] * Bump the required glx-diversions/glx-alternative-nvidia version for the renamed GLVND libraries. * Upload to stretch . nvidia-graphics-drivers (384.111-4~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Relax the libvulkan1 (build-)dependency. * Do not conflict with *-glvnd-nvidia, there is no libglvnd in stretch. * Continue recommending the GLESv1 library for stretch. . nvidia-graphics-drivers (384.111-4) unstable; urgency=medium . * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description. * Use dh_missing --fail-missing. * Update lintian overrides. nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-625. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." * New upstream release 384 series. - Fixed a string concatenation bug that caused libGL to accidentally try to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases where /tmp isn't accessible. (Closes: #888028) - Increased the version numbers of the GLVND libGL, libGLESv1_CM, libGLESv2, and libEGL libraries, to prevent concurrently installed non-GLVND libraries from taking precedence in the dynamic linker cache. * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. * New upstream release 340 series. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the GPUs with VDPAU feature set I, e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4. * Merge changes from 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx long lived branch. nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. * New upstream release 384 series. - Fixed a regression that prevented displays connected via some types of passive adapters (e.g. DMS-59 to VGA or DVI) from working correctly. The regression was introduced with driver version 384.98. - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest available PowerMizer performance level when under load. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in Nvidia's license, which warns that the drivers are licensed for usage with Nvidia hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. nvidia-modprobe (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-modprobe (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-modprobe (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-persistenced (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-persistenced (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-persistenced (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (384.111-1) unstable; urgency=medium . * New upstream release. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-settings (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Revert to debhelper compat level 10. . nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. . nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. . nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. . nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. . nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. * Upload to experimental. . nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. . nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. nvidia-settings (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. nvidia-settings (390.48-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. . nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. . nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. . nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. * Upload to experimental. . nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. . nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. . nvidia-settings (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. nvidia-settings (384.111-1) unstable; urgency=medium . * New upstream release 384.111. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-xconfig (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-xconfig (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-xconfig (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-xconfig (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-xconfig (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-xconfig (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. openni2 (2.2.0.33+dfsg-7+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix armhf baseline violation and armel FTBFS caused by NEON usage. (Closes: #874220) openssh (1:7.4p1-10+deb9u5) stretch; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-20685: disallow empty filenames or ones that refer to the current directory (Closes: #919101) * CVE-2019-6109: sanitize scp filenames via snmprintf (Closes: #793412) * CVE-2019-6111: check in scp client that filenames sent during remote->local directory copies satisfy the wildcards specified by the user openssl (1.1.0j-1~deb9u1) stretch-security; urgency=medium . * Import 1.1.0j - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-0735 (Timing vulnerability in ECDSA signature generation) - add new symbols . openssl (1.1.0i-1~deb9u1) stretch; urgency=medium . * Import 1.1.0i - Fix segfault ERR_clear_error (Closes: #903566) - Fix commandline option for CAengine (Closes: #907457) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) * Abort the build if symbols are discovered which are not part of the symbols file. * use signing-key.asc and a https links for downloads openssl (1.1.0h-4) unstable; urgency=medium . * Build the binary in indep mode again, so we can install the documentation again. * Drop @echo in flavour so it builds again on Alpha * Add a 25-test_verify.t for autopkgtest which runs against intalled openssl binary. openssl (1.1.0h-3) unstable; urgency=medium . * Drop afalgeng on kfreebsd-* which go enabled because they inherit from the linux target. * Fix regression with session cache use by clients (See: #895035). * openssl rehash: exit 0 on warnings, same as c_rehash (See: #895473 and #895482). * Fix debian-rules-sets-dpkg-architecture-variable. * Let VCS-* point to salsa.d.o. * Don't build the binary package in binary-indep mode. * Update to policy 4.1.4 - only Suggest: libssl-doc instead Recommends (only documentation and example code is shipped). - drop Priority: important. - use signing-key.asc and a https links for downloads * Use compat 11. - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it seems to make sense. * Fix CVE-2018-0737 (Closes: #895844). openssl (1.1.0h-2) unstable; urgency=high . * Revert "only quote stuff that actually needs quoting" so c_rehash has the quotes again (Closes: #894282). openssl (1.1.0h-1) unstable; urgency=medium . * Abort the build if symbols are discovered which are not part of the symbols file. * Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007). * Enable afalgeng on Linux targets (Closes: #888305) * Add riscv64 target (Closes: #891797). * New upstream release 1.1.0h - Drop applied patches: aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-binut.patch - Update symbols file. - Fix CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) - Fix CVE-2018-0733 (Incorrect CRYPTO_memcmp on HP-UX PA-RISC) - Fix CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) * Correct lhash typo in header file (Closes: #892276). openssl (1.1.0g-2) unstable; urgency=high . * Avoid problems with aes assembler on armhf using binutils 2.29 openssl (1.1.0g-1) unstable; urgency=medium . * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 * Remove patches applied upstream * Temporary enable TLS 1.0 and 1.1 again (#875423) * Attempt to fix testsuite race condition * update no-symbolic.patch to apply openssl (1.1.0f-5) unstable; urgency=medium . * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version(). openssl (1.1.0f-4) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * Add support for arm64ilp32, patch by Wookey (Closes: #867240) . [ Kurt Roeckx ] * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS version. This will likely break things, but the hope is that by the release of Buster everything will speak at least TLS 1.2. This will be reconsidered before the Buster release. * Fix a race condition in the test suite (Closes: #869856) openssl1.0 (1.0.2q-1~deb9u1) stretch-security; urgency=medium . * use signing-key.asc and a https links for downloads * Import 1.0.2q stable release. - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-5407 (Microarchitecture timing vulnerability in ECC scalar multiplication) openssl1.0 (1.0.2o-1) unstable; urgency=medium . * Add riscv64 (Closes: #891799). * New upstream version 1.0.2o: - Fixes CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) openssl1.0 (1.0.2n-1) unstable; urgency=medium . * New upstream version 1.0.2n - drop patches which applied upstream: - 0001-Fix-no-ssl3-build.patch - 0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch - Fixes CVE-2017-3737 (Read/write after SSL object in error state) - Fixes CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) * move to gbp * Abort the build if symbols are discovered which are not part of the symbols file. openssl1.0 (1.0.2m-3) unstable; urgency=medium . * Avoid problems with aes and sha256 assembler on armhf using binutils 2.29 openssl1.0 (1.0.2m-2) unstable; urgency=medium . * Fix no-ssl3-method build openssl1.0 (1.0.2m-1) unstable; urgency=high . [ Kurt Roeckx ] * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 . [ Sebastian Andrzej Siewior] * Add support for arm64ilp32, Patch by Wookey (Closes: #874709). openvpn (2.4.0-6+deb9u3) stretch; urgency=medium . * Fix NCP behaviour on TLS reconnect, causing "AEAD Decrypt error: cipher final failed" errors (Closes: #909430, #910937) parsedatetime (2.1-3+deb9u1) stretch; urgency=medium . * Rebuild to add python3 version for certbot stable update. pdns (4.0.3-1+deb9u3) stretch; urgency=medium . * Fix (security) bugs, partially using upstream patches: * CVE-2018-1046 in dnsreplay (Closes: #898255) * CVE-2018-10851 (Closes: #913163) * MySQL queries with stored procedures (Closes: #889798) * ldap, lua, opendbx backend not finding domains (Closes: #911659) pdns-recursor (4.0.4-1+deb9u4) stretch; urgency=high . * Security upload for CVE-2018-10851 CVE-2018-14626 CVE-2018-14644. perl (5.24.1-3+deb9u5) stretch-security; urgency=high . * [SECURITY] CVE-2018-18311: Integer overflow leading to buffer overflow and segmentation fault * [SECURITY] CVE-2018-18312: Heap-buffer-overflow write in S_regatom (regcomp.c) * [SECURITY] CVE-2018-18313: Heap-buffer-overflow read in regcomp.c * [SECURITY] CVE-2018-18314: Heap-based buffer overflow in extended character classes photocollage (1.4.3-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . photocollage (1.4.3-2.1) unstable; urgency=medium . * Non-maintainer upload. * Add the missing dependency on gir1.2-gtk-3.0. (Closes: #914440) php-pear (1:1.10.1+submodules+notgz-9+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Don't allow filenames to start with phar:// (CVE-2018-1000888) (Closes: #919147) php7.0 (7.0.33-0+deb9u1) stretch-security; urgency=high . * New upstream version 7.0.33 * Fixed security bugs: + [CVE-2018-19518]: imap_open() function command injection + [CVE-2018-14851]: heap-buffer-overflow (READ of size 48) while reading exif data + [CVE-2018-14883]: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c + [CVE-2018-17082]: XSS due to the header Transfer-Encoding: chunked php7.0 (7.0.32-1) unstable; urgency=medium . * New upstream version 7.0.32 * Rebase patches for PHP 7.0.32 php7.0 (7.0.31-1) unstable; urgency=medium . [ Ondřej Surý ] * New upstream version 7.0.31 * Fix the Vcs-Browser link php7.0 (7.0.30-2) unstable; urgency=medium . * Update Vcs-* links to salsa.d.o * Update maintainer address to team+pkg-php@tracker.d.o php7.0 (7.0.30-1) unstable; urgency=medium . * New upstream version 7.0.30 * Rebase patches for PHP 7.0.30 policykit-1 (0.105-18+deb9u1) stretch-security; urgency=medium . * CVE-2018-19788 (Closes: #915332) postfix (3.1.9-0+deb9u2) stretch; urgency=medium . * Update debian/watch to point to the 3.1 series used in stretch . postfix (3.1.9-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Unset inet_interfaces in postfix-instance-generator to avoid postconf failures when the generator runs during boot (Thanks to Stefan Anders for the patch). Closes: #896155 * Also fix use of postmulti in debian/configure-instance.sh since postfix-instance-generator uses it before the network is up. Closes: #882141 . [Wietse Venema] . * 3.1.9 - Cleanup: added 21 missing *_maps parameters to the default proxy_read_maps setting. Files: global/mail_params.h. . - Bugfix (introduced: 20120117): postconf should scan only built-in or service-defined parameters for ldap, *sql, etc. database names. Files: postconf/postconf_user.c. . - Bugfix (introduced: 19990302): when luser_relay specifies a non-existent local address, the luser_relay feature becomes a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. . - Bugfix (introduced: Postfix 2.8): missing tls_server_start() error propagation in tlsproxy(8) resulting in segfault after TLS handshake error. Found during code maintenance. File: tlsproxy/tlsproxy.c. postfix (3.1.9-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Unset inet_interfaces in postfix-instance-generator to avoid postconf failures when the generator runs during boot (Thanks to Stefan Anders for the patch). Closes: #896155 * Also fix use of postmulti in debian/configure-instance.sh since postfix-instance-generator uses it before the network is up. Closes: #882141 . [Wietse Venema] . * 3.1.9 - Cleanup: added 21 missing *_maps parameters to the default proxy_read_maps setting. Files: global/mail_params.h. . - Bugfix (introduced: 20120117): postconf should scan only built-in or service-defined parameters for ldap, *sql, etc. database names. Files: postconf/postconf_user.c. . - Bugfix (introduced: 19990302): when luser_relay specifies a non-existent local address, the luser_relay feature becomes a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. . - Bugfix (introduced: Postfix 2.8): missing tls_server_start() error propagation in tlsproxy(8) resulting in segfault after TLS handshake error. Found during code maintenance. File: tlsproxy/tlsproxy.c. postgresql-9.6 (9.6.11-0+deb9u1) stretch; urgency=medium . * New upstream version. postgrey (1.36-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Revert the 1.36-3+deb9u1 change due to regression. (see #880047) . postgrey (1.36-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * debian/postgrey.init: create /var/run/postgrey if it does not exist, patch provided by Laurent Bigonville . (Closes: 756813, 880047) postgrey (1.36-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * debian/postgrey.init: create /var/run/postgrey if it does not exist, patch provided by Laurent Bigonville . (Closes: 756813, 880047) pylint-django (0.7.2-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix the python3-pylint-django dependencies. (Closes: #867413) python-acme (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. * Pull in unreleased version bump of josepy to fix deprecation warnings. * Pull in two patches to help fix josepy compatibility problems. * Pull in a Breaks to require upgrade in a single move. python-acme (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Pull in unreleased version bump of josepy to fix deprecation warnings. python-acme (0.27.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump S-V; add Rules-Require-Root: no python-acme (0.25.1-1) unstable; urgency=medium . * New upstream version 0.25.1 python-acme (0.25.1-1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports. . python-acme (0.25.1-1) unstable; urgency=medium . * New upstream version 0.25.1 . python-acme (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. . python-acme (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #895863) . python-acme (0.24.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. python-acme (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #895863) python-acme (0.24.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.22.2-1) unstable; urgency=medium . * New upstream release. python-acme (0.22.2-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-acme (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! python-acme (0.21.1-1) unstable; urgency=high . * New upstream release. * Cleanup from josepy separation. python-acme (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-acme (0.20.0-1) unstable; urgency=low . * New upstream release. * Add new dependencies introduced upstream. * Bump S-V, debhelper versions. * Move doc-base ref to package instead of package-doc. python-acme (0.19.0-1) unstable; urgency=medium . * New upstream release. python-acme (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-acme (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-acme (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch to python3-sphinx for docs. . python-acme (0.17.0-1) unstable; urgency=medium . * New upstream release. * Reduce dependency on python-requests, following upstream. * Increase priority to optional to comply with Policy v4.0.1.0 * Declare Testsuite using simple autopkgtest. * Bump S-V to 4.0.1. . python-acme (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. . python-acme (0.12.0-1) experimental; urgency=medium . * New upstream release. . python-acme (0.11.1-1) unstable; urgency=medium . * New upstream release. * Drop dep on python3?-dnspython removed upstream python-acme (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch to python3-sphinx for docs. python-acme (0.17.0-1) unstable; urgency=medium . * New upstream release. * Reduce dependency on python-requests, following upstream. * Increase priority to optional to comply with Policy v4.0.1.0 * Declare Testsuite using simple autopkgtest. * Bump S-V to 4.0.1. python-acme (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. python-acme (0.12.0-1) experimental; urgency=medium . * New upstream release. python-acme (0.11.1-1) unstable; urgency=medium . * New upstream release. * Drop dep on python3?-dnspython removed upstream python-arpy (1.1.1-3~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-arpy (1.1.1-3) unstable; urgency=low . * Team upload. . [ Christoph Egger ] * Add VCS-* headers . [ Ondřej Nový ] * Fixed homepage (https) * Fixed VCS URL (https) . [ Scott Kitterman ] * Correct substitution variable for python3 interpreter depends (Closes: #867418) * Remove unneeded python:Provides * Update homepage for move to github * Add debian/watch python-certbot (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. (Closes: #887399) python-certbot (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.27.0-1) unstable; urgency=medium . * New upstream version 0.27.0 * Refresh patch after upstream migration to codecov * Bump python-sphinx requirement defensively; bump S-V with no changes * Bump dep on python-acme to 0.26.0~ python-certbot (0.26.1-1) unstable; urgency=medium . * New upstream release. python-certbot (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump S-V; add R-R-R: no python-certbot (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Bump python-acme dep version. python-certbot (0.25.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #899858) python-certbot (0.24.0-1) unstable; urgency=medium . * Add OR to dep on python-distutils for stretch-bpo * New upstream version 0.24.0 * Bump version dep on python3-acme python-certbot (0.23.0-1) unstable; urgency=medium . * New upstream release. * Add testdata back in to prevent test failure in RDeps. (Closes: #894025) * Bump S-V; no changes needed. python-certbot (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.22.2-2) unstable; urgency=medium . * Change the way we remove testdata for better downstream support * Add dep on python3-distutils (Closes: #893775) python-certbot (0.22.2-1) unstable; urgency=medium . * New upstream release. python-certbot (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break the strict dependency relationship between certbot packages. python-certbot (0.21.1-1) unstable; urgency=high . * New upstream release. * Move d/copyright format to HTTPS python-certbot (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot (0.21.1-1) unstable; urgency=high . * New upstream release. * Move d/copyright format to HTTPS . python-certbot (0.20.0-3) unstable; urgency=medium . * Setup logrotation for certbot log files. (Closes: #873581, #881176) . python-certbot (0.20.0-2) unstable; urgency=low . * Add additional Breaks on py2 variants of libs. . python-certbot (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. . python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) python-certbot (0.20.0-3) unstable; urgency=medium . * Setup logrotation for certbot log files. (Closes: #873581, #881176) python-certbot (0.20.0-2) unstable; urgency=low . * Add additional Breaks on py2 variants of libs. python-certbot (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) python-certbot (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) . python-certbot (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch from python-sphinx to python3-sphinx . python-certbot (0.17.0-2) unstable; urgency=high . * Revert d/rules for systemd cleanup. (Closes: #872090) . python-certbot (0.17.0-1) unstable; urgency=medium . [ Mattia Rizzolo ] * d/control: rename git repository to python-certbot too . [ Harlan Lieberman-Berg ] * New upstream version 0.17.0 * Bump S-V to 4.0.1, changing Priority to optional. * Bump B-D on python-cryptography * Add very basic autopkgtest. * Refresh patches. * Fix merge failure. * Tweak d/rules for systemd cleanup, raise compat to 10. . python-certbot (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. . python-certbot (0.12.0-1) experimental; urgency=medium . * New upstream release. * Add python-ipdb as build dependency. * Drop unnecessary dependency on dh-systemd (Closes: #856239) . python-certbot (0.11.1-1) unstable; urgency=medium . * New upstream release. * Add .pc to gitignore * Drop python-psutil dep no longer needed python-certbot (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch from python-sphinx to python3-sphinx python-certbot (0.17.0-2) unstable; urgency=high . * Revert d/rules for systemd cleanup. (Closes: #872090) python-certbot (0.17.0-1) unstable; urgency=medium . [ Mattia Rizzolo ] * d/control: rename git repository to python-certbot too . [ Harlan Lieberman-Berg ] * New upstream version 0.17.0 * Bump S-V to 4.0.1, changing Priority to optional. * Bump B-D on python-cryptography * Add very basic autopkgtest. * Refresh patches. * Fix merge failure. * Tweak d/rules for systemd cleanup, raise compat to 10. python-certbot (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. python-certbot (0.12.0-1) experimental; urgency=medium . * New upstream release. * Add python-ipdb as build dependency. python-certbot (0.11.1-1) unstable; urgency=medium . * New upstream release. * Add .pc to gitignore * Drop python-psutil dep no longer needed python-certbot-apache (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. python-certbot-apache (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.27.1-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.27.0-1) unstable; urgency=medium . * New upstream version 0.27.0 * Bump S-V; no changes needed * Add lintian-override for cross-python version dep. python-certbot-apache (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump deps on certbot, add acme dep explicitly * Bump S-V with R-R-R: no python-certbot-apache (0.25.0-2) unstable; urgency=medium . * Fix incorrect version dependency. python-certbot-apache (0.25.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Bump dep on certbot python-certbot-apache (0.24.0-2) unstable; urgency=medium . * Update team email address to tracker.d.o. (Closes: #899667) python-certbot-apache (0.24.0-1) unstable; urgency=medium . * New upstream version 0.24.0 * Bump S-V; no changes needed. python-certbot-apache (0.23.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break strict dependency requirements. * Drop patches applied upstream. python-certbot-apache (0.21.1-1) unstable; urgency=high . * New upstream release. * Update Vcs-Git URL to be HTTPS. * Switch d/copyright URL to HTTPS. python-certbot-apache (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-apache (0.21.1-1) unstable; urgency=high . * New upstream release. * Update Vcs-Git URL to be HTTPS. * Switch d/copyright URL to HTTPS. . python-certbot-apache (0.20.0-3) unstable; urgency=medium . * Add version restriction on the Breaks of the dummy. . python-certbot-apache (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. . python-certbot-apache (0.20.0-1) unstable; urgency=low . * New upstream release. * Convert to python3! * Upgrade to debhelper 11. . python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.20.0-3) unstable; urgency=medium . * Add version restriction on the Breaks of the dummy. python-certbot-apache (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. python-certbot-apache (0.20.0-1) unstable; urgency=low . * New upstream release. * Convert to python3! * Upgrade to debhelper 11. python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-certbot-apache (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx. * Bump S-V; no changes needed. * Drop unnecessary Testsuite header. . python-certbot-apache (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move experimental to unstable now that the freeze is over. * Upgrade to v4.0.1 of Debian policy . python-certbot-apache (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. . python-certbot-apache (0.12.0-1) experimental; urgency=medium . * New usptream release. . python-certbot-apache (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx. * Bump S-V; no changes needed. * Drop unnecessary Testsuite header. python-certbot-apache (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move experimental to unstable now that the freeze is over. * Upgrade to v4.0.1 of Debian policy python-certbot-apache (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. python-certbot-apache (0.12.0-1) experimental; urgency=medium . * New usptream release. python-certbot-apache (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. python-certbot-nginx (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump dependencies to match setup.py * Bump S-V; add R-R-R: no python-certbot-nginx (0.25.0-2) unstable; urgency=medium . * Bump version requirement for acme and release -2 python-certbot-nginx (0.25.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 python-certbot-nginx (0.23.0-2) unstable; urgency=medium . * Switch maintainer email to tracker.d.o (Closes: #899674) python-certbot-nginx (0.23.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no chnages needed. python-certbot-nginx (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break strict dependency requirement. python-certbot-nginx (0.21.1-1) unstable; urgency=high . * New upstream release. * Change Vcs-Git to use HTTPS. * Change d/copyright to use HTTPS python-certbot-nginx (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-nginx (0.21.1-1) unstable; urgency=high . * New upstream release. * Change Vcs-Git to use HTTPS. * Change d/copyright to use HTTPS . python-certbot-nginx (0.20.0-3) unstable; urgency=medium . * Add version restriction to Breaks/Replaces for dummy. (Closes: #886954) . python-certbot-nginx (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. . python-certbot-nginx (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. . python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.20.0-3) unstable; urgency=medium . * Add version restriction to Breaks/Replaces for dummy. (Closes: #886954) python-certbot-nginx (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. python-certbot-nginx (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-certbot-nginx (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx; bump S-V without changes. * Drop unnecessary Testsuite. . python-certbot-nginx (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move to unstable from experimental, now that the freeze is over. * Update to latest Debian policy. . python-certbot-nginx (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. . python-certbot-nginx (0.12.0-1) experimental; urgency=medium . * New upstream release. . python-certbot-nginx (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx; bump S-V without changes. * Drop unnecessary Testsuite. python-certbot-nginx (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move to unstable from experimental, now that the freeze is over. * Update to latest Debian policy. python-certbot-nginx (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. python-certbot-nginx (0.12.0-1) experimental; urgency=medium . * New upstream release. python-certbot-nginx (0.11.1-1) unstable; urgency=medium . * New upstream release. python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high . * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default 404 page. (Closes: #918230) python-hypothesis (3.6.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 3.12.0-1 to stretch. . [ Tristan Seligmann ] * Fix permuted python3-hypothesis and python-hypothesis-doc Depends stanzas (closes: #867435). python-josepy (1.1.0-2~deb9u1) stretch; urgency=medium . * Backport to stable as a dependency for python-acme. python-josepy (1.1.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-josepy (1.1.0-1) unstable; urgency=medium . * New upstream release. python-josepy (1.0.1-1) unstable; urgency=medium . * Initial release. (Closes: #888624) * To prevent breaking downstream libs that may be using python-acme, we also have to build the Python 2 version. python-josepy (1.0.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. pyzo (4.3.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann] * Non-maintainer upload. * Backport dependency fix from 4.4.3-1.2. . [ Adrian Bunk ] * Add the missing dependency on python3-pkg-resources, thanks to Julien Cervelle. (Closes: #917085) qemu (1:2.8+dfsg-6+deb9u5) stretch-security; urgency=medium . * Backport SSBD support (Closes: #908682) * CVE-2018-10839 (Closes: #910431) * CVE-2018-17962 (Closes: #911468) * CVE-2018-17963 (Closes: #911469) r-cran-readxl (0.1.1-1+deb9u2) stretch; urgency=high . * src/libxls/ole.h: Updated from readxl upstream (Closes: #920804) * libxls/xlstool.h: Idem * ole.c: Idem * xls.c: Idem * xlstool.c: Idem . * This addresses CVE-2018-20450 CVE-2018-20452 with corresponding upstream patch in libxls and readxl roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high . * Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of