Accepted ia32-libs 20150116 (source amd64) into squeeze-lts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 16 Jan 2015 20:46:29 +0100
Source: ia32-libs
Binary: ia32-libs ia32-libs-dev
Architecture: source amd64
Version: 20150116
Distribution: squeeze-lts
Urgency: low
Maintainer: Debian ia32-libs Team <pkg-ia32-libs-maintainers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
ia32-libs - ia32 shared libraries for use on amd64 and ia64 systems
ia32-libs-dev - ia32 development files for use on amd64 and ia64 systems
Changes:
ia32-libs (20150116) squeeze-lts; urgency=low
.
* Packages updated
.
[ curl (7.21.0-2.1+squeeze11) squeeze-lts; urgency=high ]
.
* Non-maintainer upload.
* Fix URL request injection as in CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
.
[ curl (7.21.0-2.1+squeeze10) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix duphandle read out of bounds as per CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
.
[ curl (7.21.0-2.1+squeeze9) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix security issue:
- Only use full host matches for hosts used as IP address
as per CVE-2014-3613
* This patch is applied to Wheezy but not really needed, so it is omitted
here (needed for version > 7.38)
- Reject incoming cookies set for TLDs as per CVE-2014-3620
.
[ dbus (1.2.24-4+squeeze3) squeeze-lts; urgency=medium ]
.
* Security upload by the Debian LTS team.
* CVE-2014-3477: Backport patch from upstream to fix a denial of service
(failure to obtain bus name) in newly-activated system services that not
all users are allowed to access.
* CVE-2014-3638: Backport patch from upstream to reduce maximum number of
pending replies per connection to avoid algorithmic complexity DoS.
* CVE-2014-3639: Backport patch from upstream to not accept() new
connections when all unauthenticated connection slots are in use,
so that malicious processes cannot prevent new connections to the
system bus. Note that the patch that reduced the authentication delay
to 5s has not been applied due to known regressions:
https://bugs.freedesktop.org/show_bug.cgi?id=86431
.
[ flac (1.2.1-2+deb6u1) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix CVE-2014-8962: heap-based buffer overflow in stream_decoder.c,
allowing remote attackers to execute arbitrary code via a specially
crafted .flac file.
* Fix CVE-2014-9028: stack-based buffer overflow in stream_decoder.c,
allowing remote attackers to execute arbitrary code via a specially
crafted .flac file.
.
[ libgcrypt11 (1.4.5-2+squeeze2) squeeze-lts; urgency=medium ]
.
* Non-maintainer upload by the Debian LTS team.
* Add 37_Replace-deliberate-division-by-zero-with-_gcry_divid.patch patch.
Replace deliberate division by zero with _gcry_divide_by_zero.
* Add 38_CVE-2014-5270.patch patch.
CVE-2014-5270: side-channel attack on Elgamal encryption subkeys.
Cryptanalysis attack as described by Genkin, Pipman and Tromer. See
<http://www.cs.tau.ac.il/~tromer/handsoff/>
* Both patches have been backported from the 1.5.0-5+deb7u2 wheezy
security update.
.
[ libtasn1-3 (2.7-1+squeeze+2) squeeze-lts; urgency=low ]
.
* CVE-2014-3467 (the DECR_LEN changes were omitted, since too intrusive
to backport for little impact)
* CVE-2014-3468
* CVE-2014-3469
.
[ libxml2 (2.7.8.dfsg-2+squeeze10) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix wrongly applied patch for CVE-2014-0191 (#762864)
* Add patch for CVE-2014-3660 (#765722)
.
[ nss (3.12.8-1+squeeze10) squeeze-lts; urgency=low ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix CVE-2014-1544: improper removal of an NSSCertificate structure
from a trust domain.
.
[ nss (3.12.8-1+squeeze9) squeeze-lts; urgency=low ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Fix CVE-2014-1568: RSA signature verification bypass.
.
[ openssl (0.9.8o-4squeeze19) squeeze-lts; urgency=medium ]
.
* Fix CVE-2014-8275
* Fix CVE-2014-3572
* Fix CVE-2015-0204
* Fix CVE-2014-3570
* Fix CVE-2014-3571
* Fix typo related to CVE-2015-0205
.
[ openssl (0.9.8o-4squeeze18) squeeze-lts; urgency=medium ]
.
* Fix CVE-2014-3567
* Fix CVE-2014-3568
* Add Fallback SCSV support to mitigate CVE-2014-3566
* Fix CVE-2014-3569
Checksums-Sha1:
75712b434821bf895f31c1645f94ed194fb6e228 1546 ia32-libs_20150116.dsc
e45153806f05a8bc0e683a2dde8ac6d749f75929 334744906 ia32-libs_20150116.tar.gz
330a2d14e0d668e46fd33008f1ec08807ff788e8 34258100 ia32-libs_20150116_amd64.deb
2b6e42afd332a58776d8fa95e52a806b402839a8 13089186 ia32-libs-dev_20150116_amd64.deb
Checksums-Sha256:
4d9bc2bde84aad7890953ef26b4df551c1c35f2a118a997229ca849bb0bf069d 1546 ia32-libs_20150116.dsc
5bd75b6e021bea76b086910671394bd2561ab211f9dd540d990097d584b1ae59 334744906 ia32-libs_20150116.tar.gz
ae0717978b41747bd7e7a555dc3e706bcccc51e0a457393d507eeba3aae2bbc7 34258100 ia32-libs_20150116_amd64.deb
33afe39c8a5246319b0b90d36d02c79795b10fa404e6392360e65eb18a6859ba 13089186 ia32-libs-dev_20150116_amd64.deb
Files:
3c13965c1a36ae970a13d86aca47437a 1546 libs optional ia32-libs_20150116.dsc
3634d9fba1880cc5462b9a649d68a085 334744906 libs optional ia32-libs_20150116.tar.gz
792cc4dcd286b4dd9343833805b2fce8 34258100 libs optional ia32-libs_20150116_amd64.deb
4be2db49517a8b22ccc660b46b6ca703 13089186 libdevel extra ia32-libs-dev_20150116_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUuXkzAAoJEFb2GnlAHawEnDoH/0Ks5p9DvaQpbhCEkpL8lti8
y5BQKCPglVOpHYKewa/g/5+WaX8gQzzOpXIEIoQ+GLYakQN9LxXtTWTHQvAfyS8z
UH6bBqKc7CiGsA1tMUD/2PuQ4tEcZEqjnDQ2qIjd9jeMeYOx2ySG+RiMA+PXqglp
D00QiJ5p20iIPMeTGUQPhImcbFAqbBfxnEXt2f77rXD3SPBM9aYqxDPnx7Lh6mix
j99nEFxNMAWxOWYgreMUd3ij2qeiT8UZjTyiVxv/cCMpt67ajy26xlr2SP6BJTGf
34ItnZzSvtkJadM4oygJrktsVKEWWamEjccesj7grkTOXhpu9oHMx9OarfXhxhI=
=EfWU
-----END PGP SIGNATURE-----