Branches for Lucid

Author: Chris Coulson
Revision Date: 2012-11-12 16:36:01 UTC

* New upstream release v1.4.6
  - see LP: #1080212 for USN information
* Drop unneeded patches
  - remove debian/patches/correct-version-number.diff
  - remove debian/patches/dont_register_cids_multiple_times.diff
  - update debian/patches/series
* Support building in an objdir
  - update debian/rules

Author: Serge Hallyn
Revision Date: 2011-08-15 13:47:54 UTC

* debian/patches/cgred-initscript-2.diff (LP: #825598)
  - source /etc/deafult/cgred, not cgred.conf
  - pull DAEMON_OPTS from defaults file into init script
  - --log-file is not a valid option. -f or --logfile is.
* Show LOG_FILE in a comment in /etc/default/cgred.

Author: Ante Karamatić
Revision Date: 2011-11-09 10:33:37 UTC

* debian/patches/90-context-unlock.patch (LP: #887946):
  - gmain: move finalization of GSource outside of context lock

Author: Serge Hallyn
Revision Date: 2011-11-08 12:39:56 UTC

debian/patches/0002-link-pam.patch: link pam_cap against -lpam.
(Closes: #591410) (LP: #582769)

Author: Adam Gandelman
Revision Date: 2011-11-22 11:20:06 UTC

debian/patches/mysql_move_writable_test.patch: Cherry-pick upstream
commit (95a6eb8a). In mysql OCF, properly create $pid_dir before testing
permissions on it. (LP: #893352)

Author: Stuart Bishop
Revision Date: 2012-11-15 09:49:39 UTC

Lucid

Author: Marc Deslauriers
Revision Date: 2012-11-09 15:15:40 UTC

[ Dominic Hargreaves ]
* Multiple security fixes for:
  - XSS vulnerabilities (CVE-2011-2083)
  - information disclosure vulnerabilities including password hash
    exposure and correspondence disclosure to privileged users
    (CVE-2011-2084)
  - CSRF vulnerabilities allowing information disclosure,
    privilege escalation, and arbitrary code execution. Original
    behaviour may be restored by setting $RestrictReferrer to 0 for
    installations which rely on it (CVE-2011-2085)
  - remote code execution vulnerabilities including in VERP
    functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
  for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
  run in postinst
* Provide specific instructions for restarting a mod_perl based
  Apache server

[ Marc Deslauriers ]
* debian/patches/81_misc_sec_regressions.dpatch: fix regression in
  rt-email-dashboards, and whitelist search results and calendar helper
  from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
  - Email header injection attack (CVE-2012-4730)
  - CSRF protection allows attack on bookmarks (CVE-2012-4732)
  - Confused deputy attack for non-logged-in users (CVE-2012-4734)
  - Multiple message signing/encryption attacks related to GnuPG
    (CVE-2012-4735)
  - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)

Author: Chris Coulson
Revision Date: 2012-11-12 16:36:01 UTC

* New upstream release v1.4.6
  - see LP: #1080212 for USN information
* Drop unneeded patches
  - remove debian/patches/correct-version-number.diff
  - remove debian/patches/dont_register_cids_multiple_times.diff
  - update debian/patches/series
* Support building in an objdir
  - update debian/rules

Author: Marc Deslauriers
Revision Date: 2012-11-06 09:41:45 UTC

* SECURITY UPDATE: possible remote code execution via buffer overflow
  - debian/patches/02_CVE-2012-4505.patch: validate maximum pac size in
    src/lib/pac.c.
  - CVE-2012-4505

Author: Marc Deslauriers
Revision Date: 2012-11-06 09:41:45 UTC

* SECURITY UPDATE: possible remote code execution via buffer overflow
  - debian/patches/02_CVE-2012-4505.patch: validate maximum pac size in
    src/lib/pac.c.
  - CVE-2012-4505

Author: Felix Geyer
Revision Date: 2012-10-26 14:38:37 UTC

* SECURITY UPDATE: Missing privilege check for task gate switches
  (LP: #1044634)
  - debian/patches/cve-2012-3221.dpatch: patch from upstream
  - CVE-2012-3221

Author: Marc Deslauriers
Revision Date: 2012-11-09 15:15:40 UTC

[ Dominic Hargreaves ]
* Multiple security fixes for:
  - XSS vulnerabilities (CVE-2011-2083)
  - information disclosure vulnerabilities including password hash
    exposure and correspondence disclosure to privileged users
    (CVE-2011-2084)
  - CSRF vulnerabilities allowing information disclosure,
    privilege escalation, and arbitrary code execution. Original
    behaviour may be restored by setting $RestrictReferrer to 0 for
    installations which rely on it (CVE-2011-2085)
  - remote code execution vulnerabilities including in VERP
    functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
  for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
  run in postinst
* Provide specific instructions for restarting a mod_perl based
  Apache server

[ Marc Deslauriers ]
* debian/patches/81_misc_sec_regressions.dpatch: fix regression in
  rt-email-dashboards, and whitelist search results and calendar helper
  from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
  - Email header injection attack (CVE-2012-4730)
  - CSRF protection allows attack on bookmarks (CVE-2012-4732)
  - Confused deputy attack for non-logged-in users (CVE-2012-4734)
  - Multiple message signing/encryption attacks related to GnuPG
    (CVE-2012-4735)
  - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)

Author: Marc Deslauriers
Revision Date: 2012-11-09 15:15:40 UTC

[ Dominic Hargreaves ]
* Multiple security fixes for:
  - XSS vulnerabilities (CVE-2011-2083)
  - information disclosure vulnerabilities including password hash
    exposure and correspondence disclosure to privileged users
    (CVE-2011-2084)
  - CSRF vulnerabilities allowing information disclosure,
    privilege escalation, and arbitrary code execution. Original
    behaviour may be restored by setting $RestrictReferrer to 0 for
    installations which rely on it (CVE-2011-2085)
  - remote code execution vulnerabilities including in VERP
    functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
  for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
  run in postinst
* Provide specific instructions for restarting a mod_perl based
  Apache server

[ Marc Deslauriers ]
* debian/patches/81_misc_sec_regressions.dpatch: fix regression in
  rt-email-dashboards, and whitelist search results and calendar helper
  from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
  - Email header injection attack (CVE-2012-4730)
  - CSRF protection allows attack on bookmarks (CVE-2012-4732)
  - Confused deputy attack for non-logged-in users (CVE-2012-4734)
  - Multiple message signing/encryption attacks related to GnuPG
    (CVE-2012-4735)
  - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)

Author: Marc Deslauriers
Revision Date: 2012-10-17 08:26:39 UTC

* SECURITY UPDATE: symlink vulnerability in qmailscan plugin
  - debian/patches/CVE-2012-2103.patch: remove the use of tempfiles in
    plugins/node.d/qmailscan.in.
  - CVE-2012-2103
* SECURITY UPDATE: privilege escalation via root running plugins
  - debian/patches/CVE-2012-3512.patch: run each plugin in their own
    state directory in Makefile, Makefile.config,
    node/lib/Munin/Node/{OS,Service}.pm, plugins/lib/Munin/Plugin.pm,
    plugins/node.d/*.in,plugins/node.d.linux/*.in.
  - debian/patches/CVE-2012-3512-regression.patch: Don't rely on
    MUNIN_PLUGSTATE being in the environment as these scripts also get
    run by a cron job in plugins/node.d.linux/apt_all.in,
    plugins/node.d.linux/apt.in.
  - CVE-2012-3512
* debian/Makefile.config: added new plugin state directory location.
* debian/munin-node.{postinst,postrm}: Remove old plugin state directory
  override, also remove new plugin state directory.

Author: Marc Deslauriers
Revision Date: 2012-10-17 08:26:39 UTC

* SECURITY UPDATE: symlink vulnerability in qmailscan plugin
  - debian/patches/CVE-2012-2103.patch: remove the use of tempfiles in
    plugins/node.d/qmailscan.in.
  - CVE-2012-2103
* SECURITY UPDATE: privilege escalation via root running plugins
  - debian/patches/CVE-2012-3512.patch: run each plugin in their own
    state directory in Makefile, Makefile.config,
    node/lib/Munin/Node/{OS,Service}.pm, plugins/lib/Munin/Plugin.pm,
    plugins/node.d/*.in,plugins/node.d.linux/*.in.
  - debian/patches/CVE-2012-3512-regression.patch: Don't rely on
    MUNIN_PLUGSTATE being in the environment as these scripts also get
    run by a cron job in plugins/node.d.linux/apt_all.in,
    plugins/node.d.linux/apt.in.
  - CVE-2012-3512
* debian/Makefile.config: added new plugin state directory location.
* debian/munin-node.{postinst,postrm}: Remove old plugin state directory
  override, also remove new plugin state directory.

Author: Adam Stokes
Revision Date: 2012-10-10 14:26:06 UTC

If a pidfile is specified, but doesn't provide a PID
to test, return 'not running', and return 'unknown'
if the pidfile exists but is unreadable (LP: #683640)

Author: Marc Deslauriers
Revision Date: 2012-10-17 08:26:39 UTC

* SECURITY UPDATE: symlink vulnerability in qmailscan plugin
  - debian/patches/CVE-2012-2103.patch: remove the use of tempfiles in
    plugins/node.d/qmailscan.in.
  - CVE-2012-2103
* SECURITY UPDATE: privilege escalation via root running plugins
  - debian/patches/CVE-2012-3512.patch: run each plugin in their own
    state directory in Makefile, Makefile.config,
    node/lib/Munin/Node/{OS,Service}.pm, plugins/lib/Munin/Plugin.pm,
    plugins/node.d/*.in,plugins/node.d.linux/*.in.
  - debian/patches/CVE-2012-3512-regression.patch: Don't rely on
    MUNIN_PLUGSTATE being in the environment as these scripts also get
    run by a cron job in plugins/node.d.linux/apt_all.in,
    plugins/node.d.linux/apt.in.
  - CVE-2012-3512
* debian/Makefile.config: added new plugin state directory location.
* debian/munin-node.{postinst,postrm}: Remove old plugin state directory
  override, also remove new plugin state directory.

Author: Marc Deslauriers
Revision Date: 2012-10-25 08:48:31 UTC

* SECURITY UPDATE: arbitrary code execution via dns decode logic
  - debian/patches/CVE-2012-5671.patch: adjust max length and validate
    against it in src/pdkim/pdkim.h, src/dkim.c.
  - CVE-2012-5671

Author: Marc Deslauriers
Revision Date: 2012-10-25 08:48:31 UTC

* SECURITY UPDATE: arbitrary code execution via dns decode logic
  - debian/patches/CVE-2012-5671.patch: adjust max length and validate
    against it in src/pdkim/pdkim.h, src/dkim.c.
  - CVE-2012-5671

Author: Jamie Strandboge
Revision Date: 2012-10-23 09:34:32 UTC

* SECURITY UPDATE: optionally disallow setting sys.path when setting
  sys.argv
  - debian/patches/CVE-2008-5983.dpatch: add new C API function,
    PySys_SetArgvEx
  - CVE-2008-5983
* SECURITY UPDATE: fix integer overflows in audioop module
  - debian/patches/CVE-2010-1634.dpatch: Fix incorrect and UB-inducing
    overflow checks
  - CVE-2010-1634
* SECURITY UPDATE: fix DoS in audioop module
  - debian/patches/CVE-2010-2089.dpatch: ensure that the input string length
    is a multiple of the frame size
  - CVE-2010-2089
* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.dpatch: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.dpatch: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.dpatch: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.dpatch: fix vulnerability in the utf-16
    decoder after error handling
  - CVE-2012-2135

Author: Jamie Strandboge
Revision Date: 2012-10-23 09:34:32 UTC

* SECURITY UPDATE: optionally disallow setting sys.path when setting
  sys.argv
  - debian/patches/CVE-2008-5983.dpatch: add new C API function,
    PySys_SetArgvEx
  - CVE-2008-5983
* SECURITY UPDATE: fix integer overflows in audioop module
  - debian/patches/CVE-2010-1634.dpatch: Fix incorrect and UB-inducing
    overflow checks
  - CVE-2010-1634
* SECURITY UPDATE: fix DoS in audioop module
  - debian/patches/CVE-2010-2089.dpatch: ensure that the input string length
    is a multiple of the frame size
  - CVE-2010-2089
* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.dpatch: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.dpatch: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.dpatch: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.dpatch: fix vulnerability in the utf-16
    decoder after error handling
  - CVE-2012-2135

Author: Adam Stokes
Revision Date: 2012-10-18 17:22:24 UTC

fix accidental removal of ifdeef

Author: Adam Stokes
Revision Date: 2012-09-27 19:02:17 UTC

Reduce upstart requirement

Author: Adam Stokes
Revision Date: 2012-10-18 16:10:13 UTC

Define MAP_HUGETLB (LP: #1068199)

Author: Adam Buchbinder
Revision Date: 2012-10-15 21:07:48 UTC

Backported upstream patch 7.3.216 from
https://groups.google.com/d/topic/vim_dev/lTos-bGcNgU/discussion
(LP: #1059085):

Author: Tyler Hicks
Revision Date: 2012-09-27 21:13:08 UTC

* SECURITY UPDATE: Privilege escalation via malicious environment variable
  - debian/patches/07-CVE_2011_2709.patch: Only read the GSSAPI_MECH_CONF
    environment variable in non-setuid situations. Based on upstream patch.
  - CVE-2011-2709

Author: Tyler Hicks
Revision Date: 2012-09-27 21:13:08 UTC

* SECURITY UPDATE: Privilege escalation via malicious environment variable
  - debian/patches/07-CVE_2011_2709.patch: Only read the GSSAPI_MECH_CONF
    environment variable in non-setuid situations. Based on upstream patch.
  - CVE-2011-2709

Author: Micah Gersten
Revision Date: 2012-10-14 20:55:49 UTC

No-change backport to lucid (LP: #1063688)

Author: Chris Coulson
Revision Date: 2012-10-12 15:00:54 UTC

* New upstream release
  - see LP: #1080211 for USN information
  - Make the startpage work again in Firefox 17
  - Fix a crash that occurs when the apt cache is broken
  - Fix a whole bunch of memory leaks in the plugin installer
  - Don't poll for file changes, but use inotify instead to determine
    when we need to display a restart notification

Author: Adam Stokes
Revision Date: 2012-10-10 14:26:06 UTC

If a pidfile is specified, but doesn't provide a PID
to test, return 'not running', and return 'unknown'
if the pidfile exists but is unreadable (LP: #683640)

Author: Marc Deslauriers
Revision Date: 2012-10-03 07:05:52 UTC

* REGRESSION FIX: some applications launched with the activation helper
  may need DBUS_STARTER_ADDRESS. (LP: #1058343)
  - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
    starter address to the default system bus address.
* REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
  - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
    shutdown or reboot so that it can safely unmount the root
    filesystem.

Author: Marc Deslauriers
Revision Date: 2012-10-03 07:05:52 UTC

* REGRESSION FIX: some applications launched with the activation helper
  may need DBUS_STARTER_ADDRESS. (LP: #1058343)
  - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
    starter address to the default system bus address.
* REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
  - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
    shutdown or reboot so that it can safely unmount the root
    filesystem.

Author: Jamie Strandboge
Revision Date: 2012-09-05 22:09:27 UTC

* Fix installation of symlinks in data/ dir (LP: #770566):
  - test/auto.py: Add test for installing a symlink which points to a
    nonexisting target directory/file. This reproduces the gist of the
    problem.
  - test/auto.py: Preserve symlinks in copytree() calls, so that we can
    actually verify that symlinks are preserved properly.
  - test/auto.py: Drop requirement that diff throws no error messages, as it
    will complain about the broken symlink.
  - DistUtilsExtra/auto.py, install_auto: Use os.walk() instead of
    distutils.filelist.findall() to pick out symlinks, as the latter fails
    badly with broken symlinks.
  - DistUtilsExtra/command/build_icons.py: Ignore symbolic links. distutils
    breaks on them when they point to a nonexisting target, and we handle
    them in auto.py.
  - backport, http://bazaar.launchpad.net/~python-distutils-extra-hackers/python-distutils-extra/debian/revision/250

Author: Jamie Strandboge
Revision Date: 2012-09-05 22:09:27 UTC

* Fix installation of symlinks in data/ dir (LP: #770566):
  - test/auto.py: Add test for installing a symlink which points to a
    nonexisting target directory/file. This reproduces the gist of the
    problem.
  - test/auto.py: Preserve symlinks in copytree() calls, so that we can
    actually verify that symlinks are preserved properly.
  - test/auto.py: Drop requirement that diff throws no error messages, as it
    will complain about the broken symlink.
  - DistUtilsExtra/auto.py, install_auto: Use os.walk() instead of
    distutils.filelist.findall() to pick out symlinks, as the latter fails
    badly with broken symlinks.
  - DistUtilsExtra/command/build_icons.py: Ignore symbolic links. distutils
    breaks on them when they point to a nonexisting target, and we handle
    them in auto.py.
  - backport, http://bazaar.launchpad.net/~python-distutils-extra-hackers/python-distutils-extra/debian/revision/250

Author: Marc Deslauriers
Revision Date: 2012-09-28 09:26:15 UTC

* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
  (LP: #1016643)
  - softwareproperties/ppa.py: download gpg key to temporary keyring, and
    validate using v4 fingerprint before importing to apt keyring.

Author: Marc Deslauriers
Revision Date: 2012-09-28 09:26:15 UTC

* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
  (LP: #1016643)
  - softwareproperties/ppa.py: download gpg key to temporary keyring, and
    validate using v4 fingerprint before importing to apt keyring.

Author: Adam Stokes
Revision Date: 2012-09-27 18:17:02 UTC

debian/patches/25cleanup-direct-indirect-threadlocks.dpatch:
Basically a backport of 5.0.6 minus ldap, sasl, ext4 support

Author: Michael Jeanson
Revision Date: 2012-09-14 09:43:09 UTC

* Cherry-pick fixes for sync() behaviour in dpkg (LP: #624877):
  - Disable by default usage of synchronous sync(2), as it causes undesired
    I/O on unrelated file systems. Closes: #588339, #595927, #600075
  - On Linux use sync_file_range() to initiate asynchronous writeback
    of just unpacked files. Suggested by Ted Ts'o <tytso@mit.edu>.
    Thanks to Jonathan Nieder <jrnieder@gmail.com>. Closes: #605009

Author: Clint Byrum
Revision Date: 2012-06-22 10:59:44 UTC

d/p/lp-561303.diff: Cherry pick fix from 4.7.3 to stop
crashes. (LP: #561303)

Author: Adam Stokes
Revision Date: 2012-09-18 17:14:55 UTC

Fix two memory leaks in krb5_get_init_creds path; one of these memory
leaks is quite common for any application such as PAM or kinit that
gets initial credentials, thanks Bastian Blank, Closes: #598032, (LP: #988055)

Author: Jamie Strandboge
Revision Date: 2012-09-05 10:58:55 UTC

* debian/dhclient-script.linux: Explicitly set the PATH to that of
  ENV_SUPATH in /etc/login.defs and unset various other variables. We need
  to do this so /sbin/dhclient cannot abuse the environment to escape
  AppArmor confinement via this script. Don't worry about
  debian/dhclient-script.udeb or debian/dhclient-script.kfreebsd since
  AppArmor isn't used in these environments.
  - LP: #1045986
* debian/patches/adjust-configure-for-linux3.dpatch: default to linux-2.2
  for 3.0+ kernels

Author: Martin Pitt
Revision Date: 2012-09-18 08:05:03 UTC

pg_ctlcluster: Drop erroneous $result assignment which was introduced in
the previous version due to a mis-merge.

Author: Martin Pitt
Revision Date: 2012-09-18 08:05:03 UTC

pg_ctlcluster: Drop erroneous $result assignment which was introduced in
the previous version due to a mis-merge.

Author: Michael Jeanson
Revision Date: 2012-09-14 09:43:09 UTC

* Cherry-pick fixes for sync() behaviour in dpkg (LP: #624877):
  - Disable by default usage of synchronous sync(2), as it causes undesired
    I/O on unrelated file systems. Closes: #588339, #595927, #600075
  - On Linux use sync_file_range() to initiate asynchronous writeback
    of just unpacked files. Suggested by Ted Ts'o <tytso@mit.edu>.
    Thanks to Jonathan Nieder <jrnieder@gmail.com>. Closes: #605009

Author: Tyler Hicks
Revision Date: 2012-09-09 22:57:33 UTC

* Run the tests as part of the build process
  - debian/patches/FTBFS-tests.patch: Fix issues when running make check.
    Based on upstream patches.
  - debian/rules: Run make check after building
* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/CVE-2012-0876.patch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/CVE-2012-1148.patch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Tyler Hicks
Revision Date: 2012-09-09 22:57:33 UTC

* Run the tests as part of the build process
  - debian/patches/FTBFS-tests.patch: Fix issues when running make check.
    Based on upstream patches.
  - debian/rules: Run make check after building
* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/CVE-2012-0876.patch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/CVE-2012-1148.patch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Luis Henriques
Revision Date: 2012-09-07 14:15:51 UTC

[Luis Henriques]

* Release Tracking Bug
  - LP: #1047350

[ Upstream Kernel Changes ]

* rds: set correct msg_namelen
  - LP: #1031112
  - CVE-2012-3430
* eCryptfs: Initialize empty lower files when opening them
  - LP: #911507
* net: Allow driver to limit number of GSO segments per skb
  - LP: #1037456
  - CVE-2012-3412
* tcp: do not scale TSO segment size with reordering degree
  - LP: #1037456
  - CVE-2012-3412
* tcp: Apply device TSO segment limit earlier
  - LP: #1037456
  - CVE-2012-3412
* sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
  - LP: #1037456
  - CVE-2012-3412
* sfc: Fix maximum number of TSO segments and minimum TX queue size
  - LP: #1037456
  - CVE-2012-3412
* mm: Hold a file reference in madvise_remove
  - LP: #1042447
  - CVE-2012-3511
* cred: copy_process() should clear child->replacement_session_keyring
  - LP: #1023535
  - CVE-2012-2745

Author: Luis Henriques
Revision Date: 2012-09-07 14:20:00 UTC

linux-natty 2.6.38-16.67

Author: Luis Henriques
Revision Date: 2012-09-07 14:20:00 UTC

linux-natty 2.6.38-16.67

Author: Luis Henriques
Revision Date: 2012-09-07 14:20:00 UTC

linux-natty 2.6.38-16.67

Author: Luis Henriques
Revision Date: 2012-09-07 14:15:51 UTC

[Luis Henriques]

* Release Tracking Bug
  - LP: #1047350

[ Upstream Kernel Changes ]

* rds: set correct msg_namelen
  - LP: #1031112
  - CVE-2012-3430
* eCryptfs: Initialize empty lower files when opening them
  - LP: #911507
* net: Allow driver to limit number of GSO segments per skb
  - LP: #1037456
  - CVE-2012-3412
* tcp: do not scale TSO segment size with reordering degree
  - LP: #1037456
  - CVE-2012-3412
* tcp: Apply device TSO segment limit earlier
  - LP: #1037456
  - CVE-2012-3412
* sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
  - LP: #1037456
  - CVE-2012-3412
* sfc: Fix maximum number of TSO segments and minimum TX queue size
  - LP: #1037456
  - CVE-2012-3412
* mm: Hold a file reference in madvise_remove
  - LP: #1042447
  - CVE-2012-3511
* cred: copy_process() should clear child->replacement_session_keyring
  - LP: #1023535
  - CVE-2012-2745

Author: Luis Henriques
Revision Date: 2012-09-07 14:15:51 UTC

[Luis Henriques]

* Release Tracking Bug
  - LP: #1047350

[ Upstream Kernel Changes ]

* rds: set correct msg_namelen
  - LP: #1031112
  - CVE-2012-3430
* eCryptfs: Initialize empty lower files when opening them
  - LP: #911507
* net: Allow driver to limit number of GSO segments per skb
  - LP: #1037456
  - CVE-2012-3412
* tcp: do not scale TSO segment size with reordering degree
  - LP: #1037456
  - CVE-2012-3412
* tcp: Apply device TSO segment limit earlier
  - LP: #1037456
  - CVE-2012-3412
* sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
  - LP: #1037456
  - CVE-2012-3412
* sfc: Fix maximum number of TSO segments and minimum TX queue size
  - LP: #1037456
  - CVE-2012-3412
* mm: Hold a file reference in madvise_remove
  - LP: #1042447
  - CVE-2012-3511
* cred: copy_process() should clear child->replacement_session_keyring
  - LP: #1023535
  - CVE-2012-2745

Author: Steve Beattie
Revision Date: 2012-08-31 22:45:37 UTC

* SECURITY UPDATE: Update to IcedTea 6 1.11.4
  - Security fixes:
    - S7162476, CVE-2012-1682: XMLDecoder security issue via
      ClassFinder
    - S7163201, CVE-2012-0547: Simplify toolkit internals references
  - Bug fixes:
    - S7182135: Impossible to use some editors directly
    - S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java
      failed with NPE

Author: Steve Beattie
Revision Date: 2012-08-31 22:45:37 UTC

* SECURITY UPDATE: Update to IcedTea 6 1.11.4
  - Security fixes:
    - S7162476, CVE-2012-1682: XMLDecoder security issue via
      ClassFinder
    - S7163201, CVE-2012-0547: Simplify toolkit internals references
  - Bug fixes:
    - S7182135: Impossible to use some editors directly
    - S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java
      failed with NPE

Author: Martin Erik Werner
Revision Date: 2012-07-06 00:25:22 UTC

Add debian/patches/u01_crasher-fix.patch:
Fixes for causing crashes in several applications, including GDM
(LP: #540035)

Author: Chris Coulson
Revision Date: 2012-08-27 11:34:02 UTC

* New upstream stable release (THUNDERBIRD_15_0_BUILD1)
  - see LP: #1042165 for USN information

* Make thunderbird-dbg depend on the correct version of thunderbird
  - update debian/control
* Separate the package name from the application name. This enables us to
  change the package name without having to modify the application (eg,
  to allow us to provide official branded versions of Thunderbird ESR using
  the package name "thunderbird-esr"). In doing this, also drop the patch we
  had to rename Thunderbird in nightlies, and just use some magic in debian/rules
  instead
  - update debian/apport/source_thunderbird.py.in
  - update debian/build/get-orig-source.mk
  - update debian/control.in
  - update debian/control.langpacks
  - update debian/control.langpacks.unavail
  - remove debian/patches/change-moz-app-name.patch
  - update debian/patches/series
  - update debian/rules
  - update debian/thunderbird.install.in
  - update debian/thunderbird.links.in
  - update debian/thunderbird.lintian-overrides.in
  - update debian/thunderbird.postinst.in
  - update debian/thunderbird.postrm.in
  - update debian/thunderbird.preinst.in
  - update debian/thunderbird.sh.in
* Move parts of debian/rules that can be shared with Firefox to a
  new, common file (mozbuild.mk)
  - update debian/rules
  - add debian/build/mozbuild.mk
  - add debian/build/mozvars.mk
  - update debian/build/testsuite.mk
* Make it possible to use the same create-tarball.py for Firefox and
  Thunderbird
  - update debian/build/create-tarball.py
  - update debian/build/get-orig-source.mk
  - add debian/config/tarball.conf
* Switch to source format 3.0
  - add debian/source/format
  - add debian/source/options to diff-ignore the .mozclient.mk file which
    is created during clean, and to pass "--no-preparation"
  - update debian/build/enable-dist-patches.pl
  - rename debian/patches/series => debian/patches/series.in so the source
    isn't built with patches applied
  - add debian/README.source
* Goodbye embedded tarball, and our use of tarball.mk!
  - update debian/build/create-tarball.py
  - update debian/build/extract-file.py
  - update debian/build/get-orig-source.mk
  - update debian/build/mozbuild.mk
* Run the upstream cleansrcdir target during clean
  - update debian/build/mozbuild.mk
* Support the "parallel" option in DEB_BUILD_OPTIONS
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
* Get rid of pointless python script
  - remove debian/build/extract-file.py
  - update debian/build/mozbuild.mk
* Merge get-orig-source.mk in to mozbuild.mk
  - update debian/build/mozbuild.mk
  - remove debian/build/get-orig-source.mk
* Handle comments in locales.blacklist
  - update debian/build/refresh-supported-locales.pl
  - update debian/config/locales.blacklist
* Fork the upstream text preprocessor and add support for additional
  comparison operators, which means we no longer have to add new
  defines for every distro version specific change we add
  - add debian/build/Expression.py
  - add debian/build/Preprocessor.py
  - update debian/apport/source_thunderbird.py.in
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
  - update debian/rules
  - update debian/thunderbird.desktop.in
  - update debian/thunderbird.install.in
  - update debian/thunderbird.links.in
  - update debian/thunderbird.postinst.in
  - update debian/thunderbird.postrm.in
  - update debian/thunderbird.preinst.in
* Drop powerpc patches, which are fixed upstream
  - remove debian/patches/fix-dtoa-build-on-ppc.patch and
  - remove debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series.in
* Drop fix-crashreporter-ftbfs-with-gcc4.7.patch, which is fixed upstream

Author: Steve Beattie
Revision Date: 2012-08-22 16:28:07 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-08-22 16:28:07 UTC

fake sync from Debian

Author: Chris Coulson
Revision Date: 2012-08-25 20:38:03 UTC

* New upstream stable release (FIREFOX_15_0_BUILD1)
  - see LP: #1041620 for USN information

* Add Acholi to the locale blacklist
* Separate the package name from the application name in various places.
  This enables us to change the package name without having to modify the
  application or packaging (eg, to allow us to provide official branded
  versions of Firefox ESR using the package name "firefox-esr")
  - update debian/README.Debian.in
  - update debian/apport/source_firefox.py.in
  - update debian/build/get-orig-source.mk
  - update debian/control{,.in}
  - update debian/control.langpacks
  - update debian/control.langpacks.unavail
  - update debian/firefox-locale.preinst.in
  - update debian/firefox.install.in
  - update debian/firefox.links.in
  - update debian/firefox.lintian-overrides.in
  - update debian/firefox.postinst.in
  - update debian/firefox.postrm.in
  - update debian/firefox.preinst.in
  - update debian/firefox.sh.in
  - remove debian/patches/change-moz-app-name.patch
  - update debian/patches/series
  - update debian/rules
  - update debian/usr.bin.firefox.apparmor.*
* Move parts of debian/rules that can be shared with Thunderbird to a
  new, common file (mozbuild.mk)
  - update debian/rules
  - add debian/build/mozbuild.mk
  - add debian/build/mozvars.mk
  - update debian/build/testsuite.mk
* Make it possible to use the same create-tarball.py for Firefox and
  Thunderbird
  - update debian/build/create-tarball.py
  - update debian/build/get-orig-source.mk
  - add debian/config/tarball.conf
* Switch to source format 3.0
  - add debian/source/format
  - add debian/source/options to diff-ignore the .mozclient.mk file which
    is created during clean, and to pass "--no-preparation"
  - update debian/build/enable-dist-patches.pl
  - rename debian/patches/series => debian/patches/series.in so the source
    isn't built with patches applied
  - update debian/README.source
* Goodbye embedded tarball, and our use of tarball.mk!
  - update debian/build/create-tarball.py
  - update debian/build/extract-file.py
  - update debian/build/get-orig-source.mk
  - update debian/build/mozbuild.mk
* Run the upstream cleansrcdir target during clean
  - update debian/build/mozbuild.mk
* Refresh patches
  - update debian/patches/mozilla-kde.patch
* Support the "parallel" option in DEB_BUILD_OPTIONS
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
* Drop some of the complex shell script for creating language packs
  - update debian/build/mozbuild.mk
  - update debian/build/get-xpi-id.py
* Drop searchplugin patches - these patches are an absolute pain to maintain,
  as they seem to break frequently and we have to touch each localized
  plugin. Instead, just keep our own copy of plugins we modify, and add
  these in to the language packs at the end of the build process
  - remove debian/patches/ubuntu-codes-google.patch
  - remove debian/patches/ubuntu-codes-amazon.patch
  - remove debian/patches/ubuntu-codes-baidu.patch
  - update debian/patches/series.in
  - update debian/build/mozbuild.mk
  - add debian/searchplugins/*
* Get rid of pointless python script
  - remove debian/build/extract-file.py
  - update debian/build/mozbuild.mk
* Add an automated check for finding search engines that match particular
  patterns and verifying that they are replaced with our own search
  engine if we think they should be
  - add debian/build/check-search-overrides.pl
  - update debian/build/mozbuild.mk
  - add debian/searchplugins/overrides.json
  - update debian/control{,.in}
* Drop reload-new-plugins.patch, as this shouldn't actually be needed
  - remove debian/patches/reload-new-plugins.patch
  - update debian/patches/series.in
* Merge get-orig-source.mk in to mozbuild.mk
  - update debian/build/mozbuild.mk
  - remove debian/build/get-orig-source.mk
* Handle comments in locales.blacklist
  - update debian/build/refresh-supported-locales.pl
  - update debian/config/locales.blacklist
* Fork the upstream text preprocessor and add support for additional
  comparison operators, which means we no longer have to add new
  defines for every distro version specific change we add
  - add debian/build/Expression.py
  - add debian/build/Preprocessor.py
  - update debian/apport/source_firefox.py.in
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
  - update debian/firefox-dev.install.in
  - update debian/firefox-locale.preinst.in
  - update debian/firefox.desktop.in
  - update debian/firefox.dirs.in
  - update debian/firefox.install.in
  - update debian/firefox.links.in
  - update debian/firefox.postinst.in
  - update debian/firefox.postrm.in
  - update debian/firefox.preinst.in
  - update debian/firefox.prerm.in
  - update debian/rules
* Refresh shipped locales
* Drop powerpc patches, which are fixed upstream
  - remove debian/patches/fix-dtoa-build-on-ppc.patch and
  - remove debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series.in
* Drop fix-crashreporter-ftbfs-with-gcc4.7.patch, which is fixed upstream

Author: Steve Beattie
Revision Date: 2012-05-25 14:29:11 UTC

* SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
  - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
    certificates by creating soup session with the system CA file
  - CVE-2012-1177

Author: Steve Beattie
Revision Date: 2012-05-30 23:32:07 UTC

* SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
  - debian/patches/93_CVE-2012-1177.patch: cause libsoup to verify SSL
    certificates by creating soup session with the system CA file
  - CVE-2012-1177

Author: Steve Beattie
Revision Date: 2012-05-30 23:32:07 UTC

* SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
  - debian/patches/93_CVE-2012-1177.patch: cause libsoup to verify SSL
    certificates by creating soup session with the system CA file
  - CVE-2012-1177

Author: Steve Beattie
Revision Date: 2012-08-01 23:38:15 UTC

* SECURITY UPDATE: multiple integer overflows
  - malloc.c, mallocx.c: check for integer overflow in internal
    malloc and calloc routines.
  - CVE-2012-2673

Author: Steve Beattie
Revision Date: 2012-08-01 23:38:15 UTC

* SECURITY UPDATE: multiple integer overflows
  - malloc.c, mallocx.c: check for integer overflow in internal
    malloc and calloc routines.
  - CVE-2012-2673

Author: Jamie Strandboge
Revision Date: 2012-08-23 08:18:02 UTC

* SECURITY UPDATE: Fixed possibility of Unsolicited Dialback Attacks
  - debian/patches/CVE-2012-3525.dpatch: check Verify Response and
    Authorization Response in s2s sessions
  - CVE-2012-3525

Author: Jamie Strandboge
Revision Date: 2012-08-23 08:18:02 UTC

* SECURITY UPDATE: Fixed possibility of Unsolicited Dialback Attacks
  - debian/patches/CVE-2012-3525.dpatch: check Verify Response and
    Authorization Response in s2s sessions
  - CVE-2012-3525

Author: Marc Deslauriers
Revision Date: 2012-08-14 08:41:19 UTC

debian/patches/long-keyids.dpatch: Use the longest key ID available
when requesting a key from a key server.

Author: Jamie Strandboge
Revision Date: 2012-08-17 08:17:18 UTC

* SECURITY UPDATE: insecure temporary file usage
  - adjust lib/Config/IniFiles.pm to use tempfile()
  - Patch backported from upstream a08fa26f4f59
  - CVE-2012-2451

Author: Jamie Strandboge
Revision Date: 2012-08-17 08:17:18 UTC

* SECURITY UPDATE: insecure temporary file usage
  - adjust lib/Config/IniFiles.pm to use tempfile()
  - Patch backported from upstream a08fa26f4f59
  - CVE-2012-2451

Author: Mattias Ellert
Revision Date: 2012-07-19 16:11:28 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027323)
  - debian/patches/globus-gridftp-server-control-pw195.patch: backported
    from upstream
  - CVE-2012-3292

Author: Mattias Ellert
Revision Date: 2012-07-19 16:11:28 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027323)
  - debian/patches/globus-gridftp-server-control-pw195.patch: backported
    from upstream
  - CVE-2012-3292

Author: Mattias Ellert
Revision Date: 2012-07-19 16:28:47 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027324)
  - debian/patches/globus-gridftp-server-pw195.patch: backported from
    upstream
  - CVE-2012-3292

Author: Mattias Ellert
Revision Date: 2012-07-19 16:28:47 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027324)
  - debian/patches/globus-gridftp-server-pw195.patch: backported from
    upstream
  - CVE-2012-3292

Author: Jamie Strandboge
Revision Date: 2012-08-17 09:59:07 UTC

* SECURITY UPDATE: denial of service via large resource consumption
  - debian/patches/CVE-2012-3437.patch: always use correct size argument
    with libpng memory allocation
  - CVE-2012-3437

Author: Jamie Strandboge
Revision Date: 2012-08-17 09:59:07 UTC

* SECURITY UPDATE: denial of service via large resource consumption
  - debian/patches/CVE-2012-3437.patch: always use correct size argument
    with libpng memory allocation
  - CVE-2012-3437

Author: Tyler Hicks
Revision Date: 2012-08-09 12:02:05 UTC

* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/577777_CVE_2012_0876.dpatch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/588888_CVE_2012_1148.dpatch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Marc Deslauriers
Revision Date: 2012-08-14 13:34:54 UTC

debian/patches/long-keyids.diff: Use the longest key ID available
when requesting a key from a key server.

Author: Iain Lane
Revision Date: 2012-08-10 10:59:25 UTC

No-change backport to lucid (LP: #1027173)

Author: Tyler Hicks
Revision Date: 2012-08-09 12:02:05 UTC

* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/577777_CVE_2012_0876.dpatch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/588888_CVE_2012_1148.dpatch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Robie Basak
Revision Date: 2012-03-09 19:01:04 UTC

* src/racoon/handler.c: fix phase 2 negotiation (LP: #947309).
  - Patch from upstream CVS revisions 1.31 and 1.32.
  - Fixes Vista and Windows 7 client support.

Author: Marc Deslauriers
Revision Date: 2012-06-22 09:31:35 UTC

* SECURITY UPDATE: Insecure WPA AdHoc network creation (LP: #905748)
  - debian/patches/CVE-2012-2736.patch: disable WPA-secured adhoc
    wireless networks.
  - CVE-2012-2736

Author: Marc Deslauriers
Revision Date: 2012-06-22 09:31:35 UTC

* SECURITY UPDATE: Insecure WPA AdHoc network creation (LP: #905748)
  - debian/patches/CVE-2012-2736.patch: disable WPA-secured adhoc
    wireless networks.
  - CVE-2012-2736

Author: Steve Langasek
Revision Date: 2012-03-28 16:36:23 UTC

debian/nis.ypbind.upstart: don't try to start ypserv if NISSERVER=false.

Author: Marc Deslauriers
Revision Date: 2012-08-05 10:57:34 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-05 10:57:34 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-05 09:47:18 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-05 09:47:18 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Julian Taylor
Revision Date: 2012-06-30 15:50:34 UTC

set XS-Python-Version to >= 2.5 so its builds for lucids python
LP: #605303

Author: Julian Taylor
Revision Date: 2012-04-30 18:45:32 UTC

000-fix-line-split-error-on-bad-data-from-rebase.diff:
fix crash when bad data from rebase is in the log (LP: #986279)

Author: Steve Beattie
Revision Date: 2012-07-23 22:16:20 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Paul Gevers
Revision Date: 2012-07-18 13:55:19 UTC

* Fix regression in the CVE-2010-1645 update on error handling:
  "PHP Fatal error: Cannot use string offset as an array in
   /usr/share/cacti/site/lib/data_query.php on line 183" (LP: #914746)
  - debian/patches/LP914746_regression_lucid_string_offset_in_data_query.patch

Author: Marc Deslauriers
Revision Date: 2012-07-24 13:49:00 UTC

* SECURITY UPDATE: cross-site scripting vulnerability
  - debian/patches/CVE-2012-3382.dpatch: properly escape error message in
    mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs.
  - CVE-2012-3382
* SECURITY UPDATE: cross-site scripting vulnerability
  - debian/patches/CVE-2010-1459.dpatch: properly handle
    EnableViewStateMac property in
    mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs,
    mcs/class/System.Web/System.Web.UI/Page.cs,
    mcs/class/System.Web/System.Web.UI/PageParser.cs.
  - CVE-2010-1459

Author: Marc Deslauriers
Revision Date: 2012-07-24 13:49:00 UTC

* SECURITY UPDATE: cross-site scripting vulnerability
  - debian/patches/CVE-2012-3382.dpatch: properly escape error message in
    mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs.
  - CVE-2012-3382
* SECURITY UPDATE: cross-site scripting vulnerability
  - debian/patches/CVE-2010-1459.dpatch: properly handle
    EnableViewStateMac property in
    mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs,
    mcs/class/System.Web/System.Web.UI/Page.cs,
    mcs/class/System.Web/System.Web.UI/PageParser.cs.
  - CVE-2010-1459

Author: Max Bowsher
Revision Date: 2012-07-25 08:32:41 UTC

Fix mangled duplication in debian/patches/03_spurious_test_failure

Author: Chris Coulson
Revision Date: 2011-01-31 13:55:15 UTC

* Fix LP: #538796 - cannot open Firefox/Chromium/Chrome when moonlight
  is installed, due to a symbol collision with the icedtea plugin. Thanks
  to Evan Martin and Chris Toshok for figuring this out
  - add debian/patches/avoid_icedtea_symbol_collision.patch
  - update debian/patches/series

Author: Chris Coulson
Revision Date: 2012-01-09 15:24:55 UTC

* Update to 2.3 for the curl bridge, so that we can disable the Firefox
  bridge; Allows compatibility with newer version of Firefox (LP: #904594)

* Build curl bridge
  - update debian/control
  - update debian/rules
  - update debian/moonlight-plugin-core.install
* Force inclusion of config.h where it isn't currently included, to
  ensure that important values such as object sizes are consistent.
  This ensures that the curl bridge doesn't break when built with
  -Bsymbolic-functions
  - add debian/patches/include_config.h_in_all_files.patch
  - update debian/patches/series
* Apply arm related patches from the mono package
* mono-2.6/libgc/include/private/gc_locks.h: For __ARM_EABI__ define
  GC_test_and_set and GC_clear to use the atomic builtins.
* Configure with --build= --host=.
* Import upstream git commit 66993b158727585e889d, which fixes the build on
  architectures without official binary codecs available (such as ARM and
  PowerPC).
  - add debian/patches/realign_nocodec_API_with_codec_API.patch
  - update debian/patches/series
* Make it possible to build without the Firefox bridge
  - add debian/patches/no-mozilla.patch
  - update debian/patches/series
* Don't build with --with-ff3 and drop the xulrunner-dev build-depend,
  therefore switching off the Firefox bridge
  - update debian/rules
  - update debian/control
  - remove debian/moonlight-plugin-mozilla.install

Author: Serge Hallyn
Revision Date: 2012-06-11 21:39:17 UTC

debian/libvirt-bin.install, debian/rules: name the apport file
source_libvirt.py, not source_libvirt-bin.py. (LP: #1007405)

Author: Max Bowsher
Revision Date: 2012-07-24 03:42:13 UTC

Merge 0.6.9-1

Author: Steve Beattie
Revision Date: 2012-07-23 22:16:20 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Marc Deslauriers
Revision Date: 2012-07-19 14:16:25 UTC

* SECURITY UPDATE: denial of service and possible info disclosure via
  corrupted EXIF_TAG_COPYRIGHT tag (LP: #1024213)
  - debian/patches/CVE-2012-2812.patch: fix reading tags that aren't
    NUL-terminated in libexif/exif-entry.c.
  - CVE-2012-2812
* SECURITY UPDATE: denial of service and possible info disclosure via
  UTF-16 tag (LP: #1024213)
  - debian/patches/CVE-2012-2813.patch: don't read past the end of a
    tag when converting from UTF-16 in libexif/exif-entry.c.
  - CVE-2012-2813
* SECURITY UPDATE: denial of service and possible code execution via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2814.patch: fix buffer overflows in
    libexif/exif-entry.c.
  - CVE-2012-2814
* SECURITY UPDATE: denial of service and possible info disclosure via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2836.patch: fix buffer overflows in
    libexif/exif-data.c
  - CVE-2012-2836
* SECURITY UPDATE: denial of service via crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2837.patch: fix some possible
    division-by-zeros in libexif/olympus/mnote-olympus-entry.c.
  - CVE-2012-2837
* SECURITY UPDATE: denial of service and possible code execution via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2840.patch: fix off-by-one in
    libexif/exif-utils.c.
  - CVE-2012-2840
* SECURITY UPDATE: denial of service and possible code execution via
  incorrect buffer size (LP: #1024213)
  - debian/patches/CVE-2012-2841.patch: validate buffer length in
    libexif/exif-entry.c.
  - CVE-2012-2841