Introduction

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates) in a stable environment so that they will run without new libraries (whenever it is possible) on a Debian stable distribution

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to select single backported packages that fit your needs, and not use all available backports.

Where to start

News

Christian Perrier uploaded new packages for samba which fixed the following security problem:

CVE-2012-1182
  PIDL based autogenerated code allows overwriting beyond of allocated
  array.

For the squeeze-backports distribution the problems have been fixed in
version 2:3.6.4-1~bpo60+1.
Posted Sat Apr 14 08:51:02 2012

Following the normal Debian Archive lenny-backports is now discontinued. That means that no upload will be possible anymore and lenny-backports(-sloppy) get moved to archive.debian.org. If you haven't updated yet - now is the time to move to squeeze.

Some numbers about lenny-backports and lenny-backports-sloppy:

  • Source packages: lenny-backports: 667 - sloppy: 21
  • Uploads: lenny-backports: 1445 - sloppy: 51
  • Contributors: lenny-backports: 146 - sloppy: 17

Without all those contributors lenny-backports wouldn't have been possible. Thank you very much for your support!

Posted Sun Mar 25 09:07:14 2012

Paul Wise uploaded new packages for freetype which fixed the following security problems:

CVE-2011-3439
        FreeType allows remote attackers to execute arbitrary code or
        cause a denial of service (memory corruption) via a crafted
        font, a different vulnerability than CVE-2011-3256.

CVE-2011-3256
        FreeType before 2.4.7 allows remote attackers to execute
        arbitrary code or cause a denial of service (memory corruption)
        via a crafted font, a different vulnerability than
        CVE-2011-0226.

CVE-2011-0226
        Integer signedness error in psaux/t1decode.c in FreeType before
        2.4.6 allows remote attackers to execute arbitrary code or cause
        a denial of service (memory corruption and application crash)
        via a crafted Type 1 font.

For the squeeze-backports distribution the problems have been fixed in
version 2.4.8-1~bpo60+1.
Posted Fri Mar 23 06:56:21 2012

Cyril Lavier uploaded new packages for nginx which fixed the following security problems:

DSA-2434-1 nginx -- sensitive information leak

Matthew Daley discovered a memory disclosure vulnerability in nginx. In
previous versions of this web server, an attacker can receive the
content of previously freed memory if an upstream server returned a
specially crafted HTTP response, potentially exposing sensitive
information.

For the squeeze-backports distribution the problems have been fixed in
version

    1.1.17-2~bpo60+1

For wheezy (testing) and sid (unstable) this was fixed in version

    1.1.17-2

For squeeze (stable), this was fixed in version

    0.7.67-3+squeeze2
Posted Wed Mar 21 17:39:24 2012

Micah Anderson uploaded new packages for puppet which fixed the following security problems: CVE-2012-1053 and CVE-2012-1054

    CVE-2012-1053

    Puppet runs execs with an unintended group privileges,
    potentially leading to privilege escalation.

    CVE-2012-1054

    The k5login type writes to untrusted locations, enabling
    local users to escalate their privileges if the k5login type is
    used.

For the squeeze-backports distribution the problems have been fixed in
version 2.7.11-1~bpo60+1.
Posted Wed Mar 21 15:12:26 2012

Gabriele Giacone uploaded new packages for gnash which fixed the following security problem:

CVE-2012-1175

  Tielei Wang from Georgia Tech Information Security Center discovered a
  vulnerability in GNU Gnash which is caused due to an integer overflow
  error and can be exploited to cause a heap-based buffer overflow by
  tricking a user into opening a specially crafted SWF file.


For the stable distribution (squeeze), this problem has been fixed in
version 0.8.8-5+squeeze1.

For the squeeze-backports distribution, this problem has been fixed in
version 0.8.10-5~bpo60+1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.10-5.
Posted Sat Mar 17 20:03:42 2012

David Bremner uploaded new packages for notmuch which fixed the following security problems:

DSA-2416-1 notmuch -- information disclosure

When using the Emacs interface, a user could be tricked into replying to
a maliciously formatted message which could lead to files from the local
machine being attached to the outgoing message.

For the squeeze-backports distribution the problems have been fixed in
version

        0.11.1~bpo60+1

For wheezy (testing) and sid (unstable) this was fixed in version

        0.11.1-1

For squeeze (stable), this is fixed in version

        0.3.1+squeeze1
Posted Thu Mar 15 19:15:15 2012

Kilian Krause uploaded new packages for fex which fixed the following security problems:

CVE-2012-0869, CVE-2012-1293 (see also DSA 2414-1 and 2412-2)

Nicola Fioravanti discovered that F*EX, a web service for transferring
very large files, is not properly sanitizing input parameters of the "fup"
script.  An attacker can use this flaw to conduct reflected cross-site
scripting attacks via various script parameters.

For the squeeze-backports distribution the problems have been fixed in
version 20120215-3~bpo60+1.

The Debian stable and unstable distribution are already fixed, testing (wheezy)
will receive this update in the next days.

We recommend that you upgrade your fex packages.
Posted Sun Feb 26 15:00:26 2012

Harald Jenny uploaded new packages for openswan which fixed the following security problems:

CVE-2011-4073
  Use-after-free vulnerability in the cryptographic helper handler
  functionality in Openswan 2.3.0 through 2.6.36 allows remote
  authenticated users to cause a denial of service (pluto IKE daemon
  crash) via vectors related to the (1) quick_outI1_continue and (2)
  quick_outI1 functions.

For the lenny-backports distribution the problems have been fixed in
version 1:2.6.28+dfsg-5+squeeze1~bpo50+1.

For the oldstable distribution (lenny), this problem has been fixed in
version 1:2.4.12+dfsg-1.3+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 1:2.6.28+dfsg-5+squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.6.37-1.

Upgrade instructions
--------------------

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>

We recommend to pin (in /etc/apt/preferences) the backports repository
to 200 so that new versions of installed  backports will be installed
automatically.

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200
Posted Mon Jan 2 20:07:53 2012

This update to the NSS cryptographic libraries revokes the trust in the "DigiCert Sdn. Bhd" certificate authority. More information can be found in the Mozilla Security Blog: http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/

This update also fixes an insecure load path for pkcs11.txt configuration
file (CVE-2011-3640).

For the oldstable distribution (lenny), this problem has been fixed
in version 3.12.3.1-0lenny7.

For the lenny-backports distribution the problems have been fixed in
version 3.12.8-1+squeeze4~bpo50+1.

For the stable distribution (squeeze), this problem has been fixed in
version 3.12.8-1+squeeze4.

For the squeeze-backports distribution the problems have been fixed
in version 3.13.1.with.ckbi.1.88-1~bpo60+1.

For the unstable distribution (sid), this problem has been fixed in
version 3.13.1.with.ckbi.1.88-1.

Upgrade instructions
--------------------

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>

We recommend to pin (in /etc/apt/preferences) the backports repository
to 200 so that new versions of installed  backports will be installed
automatically.

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200
Posted Tue Nov 15 07:23:14 2011