Introduction
You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates) in a stable environment so that they will run without new libraries (whenever it is possible) on a Debian stable distribution. It is recommended to select single backports which fit your needs, and not to use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
News
Harald Jenny uploaded new packages for openswan which fixed the following security problems:
CVE-2011-4073
Use-after-free vulnerability in the cryptographic helper handler
functionality in Openswan 2.3.0 through 2.6.36 allows remote
authenticated users to cause a denial of service (pluto IKE daemon
crash) via vectors related to the (1) quick_outI1_continue and (2)
quick_outI1 functions.
For the lenny-backports distribution the problems have been fixed in
version 1:2.6.28+dfsg-5+squeeze1~bpo50+1.
For the oldstable distribution (lenny), this problem has been fixed in
version 1:2.4.12+dfsg-1.3+lenny3.
For the stable distribution (squeeze), this problem has been fixed in
version 1:2.6.28+dfsg-5+squeeze1.
For the unstable distribution (sid), this problem has been fixed in
version 1:2.6.37-1.
Upgrade instructions
--------------------
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository
to 200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
This update to the NSS cryptographic libraries revokes the trust in the "DigiCert Sdn. Bhd" certificate authority. More information can be found in the Mozilla Security Blog: http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
This update also fixes an insecure load path for pkcs11.txt configuration
file (CVE-2011-3640).
For the oldstable distribution (lenny), this problem has been fixed
in version 3.12.3.1-0lenny7.
For the lenny-backports distribution the problems have been fixed in
version 3.12.8-1+squeeze4~bpo50+1.
For the stable distribution (squeeze), this problem has been fixed in
version 3.12.8-1+squeeze4.
For the squeeze-backports distribution the problems have been fixed
in version 3.13.1.with.ckbi.1.88-1~bpo60+1.
For the unstable distribution (sid), this problem has been fixed in
version 3.13.1.with.ckbi.1.88-1.
Upgrade instructions
--------------------
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository
to 200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
Andres Salomon uploaded new packages for openssl which fixed the following security problems:
CVE-2011-3210
Unsafe thread handling in ECDH ciphersuite allow denial of
service attack.
CVE-2011-1945
Timing attacks against ECDHE_ECDSA private keys.
CVE-2011-0014
Remote denial of service attacks possible or information leak
via malformed handshake messages.
For the lenny-backports distribution the problems have been fixed in
version 0.9.8o-4squeeze4~bpo50+1.
For the stable distribution (squeeze), the problems have been fixed
in version 0.9.8o-4squeeze4.
Andres Salomon uploaded new packages for libsndfile which fixed the following security problems:
CVE-2011-2696
Integer overflow by processing certain PARIS Audio Format
(PAF) files.
For the lenny-backports distribution the problem has been fixed in
version 1.0.21-3+squeeze1~bpo50+1.
For the stable distribution (squeeze), this problem has been fixed
in version 1.0.21-3+squeeze1.
Andres Salomon uploaded new packages for apache2 which fixed the following security problem:
CVE-2011-3348
Possible denial of service in mod_proxy_ajp if combined with
mod_proxy_balancer.
For the lenny-backports distribution the problem has been fixed in
version 2.2.16-6+squeeze4~bpo50+1.
For the stable distribution (squeeze), this problem has been fixed
in version 2.2.16-6+squeeze4.
Mike Hommey uploaded new packages for icewease which fixed the following security problems:
CVE-2011-3647
"moz_bug_r_a4" discovered a privilege escalation vulnerability in
addon handling.
CVE-2011-3648
Yosuke Hasegawa discovered that incorrect handling of Shift-JIS
encodings could lead to cross-site scripting.
CVE-2011-3650
Marc Schoenefeld discovered that profiling the Javascript code
could lead to memory corruption.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.9.0.19-15 of the xulrunner source package.
For the lenny-backports distribution the problems have been fixed in
version 3.5.16-11~bpo50+1.
For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-11.
For the unstable distribution (sid), this problem has been fixed in
version 8.0-1.
Upgrade instructions
--------------------
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository
to 200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
Micah Anderson uploaded new packages for puppet which fixed the following security problems:
CVE-2011-3872
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet
Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an
agent certificate, adds the Puppet master's certdnsnames values to the
X.509 Subject Alternative Name field of the certificate, which allows
remote attackers to spoof a Puppet master via a man-in-the-middle
(MITM) attack against an agent that uses an alternate DNS name for the
master, aka "AltNames Vulnerability."
For the squeeze-backports distribution the problems have been fixed in
version 2.7.6-1~bpo60+1.
Guido Günther uploaded new packages for libvirt which fixed the following security problems:
CVE-2011-2511
Integer overflow in VirDomainGetVcpus
CVE-2011-1486
Non thread safe error reporting
For the squeeze-backports distribution the problems have been fixed in
version 0.9.2-7~bpo60+1.
For the lenny-backports distribution the problems have been fixed in
version 0.8.3-5+squeeze2~bpo50+2.
For lenny-backports only:
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository
to 200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
Rene Engelhard uploaded new packages for libreoffice which fixed the following security problems:
CVE-2011-2713
Red Hat, Inc. security researcher Huzaifa Sidhpurwala reported multiple
vulnerabilities in the binary Microsoft Word (doc) file format importer
of OpenOffice.org, a full-featured office productivity suite that
provides a near drop-in replacement for Microsoft(R) Office.
For the squeeze-backports distribution the problems have been fixed in
version 1:3.4.3-3~bpo60+1.
Micah Anderson uploaded new packages for puppet which fixed the following security problems:
CVE-2011-3848
Kristian Erik Hermansen reported that an unauthenticated
directory traversal could drop any valid X.509 Certificate Signing
Request at any location on disk, with the privileges of the Puppet
Master application. This was found in the 2.7 series of Puppet, but
the underlying vulnerability existed in earlier releases and could be
accessed with different hostile inputs.
CVE-2011-3870
Ricky Zhou discovered a potential local privilege escalation in the
ssh_authorized_keys resource and theoretically in the Solaris and AIX
providers, where file ownership was given away before it was written,
leading to a possibility for a user to overwrite arbitrary files as
root, if their authorized_keys file was managed.
CVE-2011-3869
An insecure symlink attack could be made against the k5login type
which would allow the owner of the home directory to symlink to
anything on the system, and have it replaced with the "correct"
content of the file, which can lead to a privilege escalation on
puppet runs.
CVE-2011-3871
A potential local privilege escalation was found in the --edit mode of
'puppet resource' due to a persistant, predictable file name, which
can result in editing an arbitrary target file, and thus be be tricked
into running that arbitrary file as the invoking user. This command is
most commonly run as root, this leads to a potential privilege
escalation.
For the squeeze-backports distribution the problems have been fixed in
version 2.7.1-1~bpo60+3.