Debian Backports

Introduction

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates) in a stable environment so that they will run without new libraries (whenever it is possible) on a Debian stable distribution

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to select single backported packages that fit your needs, and not use all available backports.

Where to start

News

BSA-074 Security Update for libreoffice

Rene Engelhard uploaded new packages for libreoffice which fixed the following security problem:

CVE-2012-1149
        Integer overflows in PNG image handling

For the squeeze-backports distribution the problems have been fixed in
version 1:3.4.6-2~bpo60+2.
Posted Tue Jun 12 22:53:41 2012
BSA-073 Security Update for strongswan

Micah Anderson uploaded new packages for strongswan which fixed the following security problems:

CVE-2012-2388

 An authentication bypass issue was discovered by the Codenomicon
 CROSS project in strongSwan, an IPsec-based VPN solution. When using
 RSA-based setups, a missing check in the gmp plugin could allow an
 attacker presenting a forged signature to successfully authenticate
 against a strongSwan responder.

For the squeeze-backports distribution the problems have been fixed in
version 4.5.2-1.4~bpo60+1
Posted Mon Jun 4 20:11:13 2012
BSA-071 Security Update for request-tracker4

Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the following security problems:

CVE-2011-2082

   The vulnerable-passwords scripts introduced for CVE-2011-0009
   failed to correct the password hashes of disabled users.

CVE-2011-2083

   Several cross-site scripting issues have been discovered.  

CVE-2011-2084

   Password hashes could be disclosed by privileged users.

CVE-2011-2085

   Several cross-site request forgery vulnerabilities have been
   found. If this update breaks your setup, you can restore the old
   behaviour by setting $RestrictReferrer to 0.

CVE-2011-4458

   The code to support variable envelope return paths allowed the
   execution of arbitrary code.

CVE-2011-4459

   Disabled groups were not fully accounted as disabled.

CVE-2011-4460

   SQL injection vulnerability, only exploitable by privileged users.

For the squeeze-backports distribution the problems have been fixed in
version 4.0.5-3~bpo60+1.
Posted Mon May 28 08:49:45 2012
BSA-069 Security Update for NGINX

Cyril Lavier uploaded new packages for nginx which fixed the following security problems:

CVE-2012-2089 - nginx -- arbitrary code execution in mp4
pseudo-streaming module

A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.

This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.

For the squeeze-backports distribution the problems have been fixed in
version

    1.1.19-1~bpo60+1

For wheezy (testing) and sid (unstable) this was fixed in version

    1.1.19-1

Squeeze (stable) is not vulnerable to this security issue.
Posted Mon May 28 08:44:57 2012
BSA-070 Security update for samba

Christian Perrier uploaded new packages for samba which fixed the following security problem:

CVE-2012-1182
  PIDL based autogenerated code allows overwriting beyond of allocated
  array.

For the squeeze-backports distribution the problems have been fixed in
version 2:3.6.4-1~bpo60+1.
Posted Sat Apr 14 08:51:02 2012
lenny backports discontinued

Following the normal Debian Archive lenny-backports is now discontinued. That means that no upload will be possible anymore and lenny-backports(-sloppy) get moved to archive.debian.org. If you haven't updated yet - now is the time to move to squeeze.

Some numbers about lenny-backports and lenny-backports-sloppy:

  • Source packages: lenny-backports: 667 - sloppy: 21
  • Uploads: lenny-backports: 1445 - sloppy: 51
  • Contributors: lenny-backports: 146 - sloppy: 17

Without all those contributors lenny-backports wouldn't have been possible. Thank you very much for your support!

Posted Sun Mar 25 09:07:14 2012
BSA-068 Security update for freetype

Paul Wise uploaded new packages for freetype which fixed the following security problems:

CVE-2011-3439
        FreeType allows remote attackers to execute arbitrary code or
        cause a denial of service (memory corruption) via a crafted
        font, a different vulnerability than CVE-2011-3256.

CVE-2011-3256
        FreeType before 2.4.7 allows remote attackers to execute
        arbitrary code or cause a denial of service (memory corruption)
        via a crafted font, a different vulnerability than
        CVE-2011-0226.

CVE-2011-0226
        Integer signedness error in psaux/t1decode.c in FreeType before
        2.4.6 allows remote attackers to execute arbitrary code or cause
        a denial of service (memory corruption and application crash)
        via a crafted Type 1 font.

For the squeeze-backports distribution the problems have been fixed in
version 2.4.8-1~bpo60+1.
Posted Fri Mar 23 06:56:21 2012
BSA-066 Security update for nginx

Cyril Lavier uploaded new packages for nginx which fixed the following security problems:

DSA-2434-1 nginx -- sensitive information leak

Matthew Daley discovered a memory disclosure vulnerability in nginx. In
previous versions of this web server, an attacker can receive the
content of previously freed memory if an upstream server returned a
specially crafted HTTP response, potentially exposing sensitive
information.

For the squeeze-backports distribution the problems have been fixed in
version

    1.1.17-2~bpo60+1

For wheezy (testing) and sid (unstable) this was fixed in version

    1.1.17-2

For squeeze (stable), this was fixed in version

    0.7.67-3+squeeze2
Posted Wed Mar 21 17:39:24 2012
BSA-065 Security update for puppet

Micah Anderson uploaded new packages for puppet which fixed the following security problems: CVE-2012-1053 and CVE-2012-1054

    CVE-2012-1053

    Puppet runs execs with an unintended group privileges,
    potentially leading to privilege escalation.

    CVE-2012-1054

    The k5login type writes to untrusted locations, enabling
    local users to escalate their privileges if the k5login type is
    used.

For the squeeze-backports distribution the problems have been fixed in
version 2.7.11-1~bpo60+1.
Posted Wed Mar 21 15:12:26 2012
BSA-064 Security update for gnash

Gabriele Giacone uploaded new packages for gnash which fixed the following security problem:

CVE-2012-1175

  Tielei Wang from Georgia Tech Information Security Center discovered a
  vulnerability in GNU Gnash which is caused due to an integer overflow
  error and can be exploited to cause a heap-based buffer overflow by
  tricking a user into opening a specially crafted SWF file.


For the stable distribution (squeeze), this problem has been fixed in
version 0.8.8-5+squeeze1.

For the squeeze-backports distribution, this problem has been fixed in
version 0.8.10-5~bpo60+1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.10-5.
Posted Sat Mar 17 20:03:42 2012
Related searches:
security squeeze version update posted
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.