Accepted ia32-libs 20151231 (source amd64) into squeeze-lts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 31 Dec 2015 14:02:28 +0100
Source: ia32-libs
Binary: ia32-libs ia32-libs-dev
Architecture: source amd64
Version: 20151231
Distribution: squeeze-lts
Urgency: low
Maintainer: Debian ia32-libs Team <pkg-ia32-libs-maintainers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
ia32-libs - ia32 shared libraries for use on amd64 and ia64 systems
ia32-libs-dev - ia32 development files for use on amd64 and ia64 systems
Changes:
ia32-libs (20151231) squeeze-lts; urgency=low
.
* Packages updated
.
[ arts (1.5.9-3+deb6u1) squeeze-lts; urgency=medium ]
.
* Non-maintaine upload by the Debian LTS team.
* Add debian/patches/99_CVE-2015-7543.diff to fix CVE-2015-7543:
insecure use of mktemp() leading to possible hijack of IPC directory.
.
[ cups (1.4.4-7+squeeze10) squeeze-lts; urgency=medium ]
.
* Fix buffer overflow on size allocation of texttopdf.
Updated debian/local/filters/pdf-filters/filter/texttopdf.c
- CVE-2015-3258: Heap-based buffer overflow in the WriteProlog
function.
- CVE-2015-3279: Integer overflow.
.
[ freetype (2.4.2-2.1+squeeze6) squeeze-lts; urgency=medium ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* CVE-2014-9745: Fix Savannah bug #41590. Protect against invalid number in
t1load.c parse_encoding().
* CVE-2014-9746, CVE-2014-9747: Fix Savannah bug #41309. Correct use of
uninitialized data in t1load.c, cidload.c, t42parse.c and psobjs.c.
.
[ gnutls26 (2.8.6-1+squeeze6) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* CVE-2015-8313: A tiny POODLE left. Gnutls didn't check the first padding
byte in CBC modes.
.
[ krb5 (1.8.3+dfsg-4squeeze10) squeeze-lts; urgency=medium ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* CVE-2015-2697: Fix build_principal memory bug
* Backport k5memdup0 from 1.13.2 for that
* CVE-2015-2695: Fix SPNEGO context aliasing bugs
* The upstream patch for CVE-2015-2695 introduced regressions preventing the
use of gss_import_sec_context() with contexts established using SPNEGO;
the fixes for those regressions are included here.
.
[ libidn (1.15-2+deb6u2) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS team
* fix_utf8_error_handling. Issue introduced in fix for CVE-2015-2059
.
[ libpng (1.2.44-1+squeeze6) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* CVE-2015-8472
update incomplete patch for CVE-2015-8126
* CVE-2015-8540
underflow read in png_check_keyword in pngwutil.c
* CVE-2012-3425
The png_push_read_zTXt function in pngpread.c in libpng 1.0.x
before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and
1.5.x before 1.5.10 allows remote attackers to cause a denial
of service (out-of-bounds read) via a large avail_in field value
in a PNG image.
In contrast to the next changelog entry, the vulnerable code
is present.
.
[ libpng (1.2.44-1+squeeze5) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* CVE-2015-7981
Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
* CVE-2015-8126
Multiple buffer overflows in the (1) png_set_PLTE and
(2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x
before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24,
and 1.6.x before 1.6.19 allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other
impact via a small bit-depth value in an IHDR (aka image header)
chunk in a PNG image.
* CVE-2012-3425
vulnerable code is not present here
.
[ libsndfile (1.0.21-3+squeeze2) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* debian/patches :
- Add 102_sd2_buffer_read_overflow.diff (CVE-2014-9496, #774162).
- Add 103_file_io_divide_by_zero.diff (CVE-2014-9756, #804447).
- Add 104_fix_aiff_heap_overflow.diff (CVE-2015-7805, #804445).
.
[ libxml2 (2.7.8.dfsg-2+squeeze16) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Patches taken from Wheezy, thanks to Salvatore Bonaccorso
* Add Avoid-processing-entities-after-encoding-conversion-.patch patch.
CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl.
* Add CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch.
CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey.
* Add CVE-2015-5312-Another-entity-expansion-issue.patch patch.
CVE-2015-5312: CPU exhaustion when processing specially crafted XML
input.
* Add patches to address CVE-2015-7499.
CVE-2015-7499: Heap-based buffer overflow in xmlGROW.
Add a specific parser error (XML_ERR_USER_STOP), backported from
e50ba8164eee06461c73cd8abb9b46aa0be81869 upstream (commit to address
CVE-2013-2877, the "Try to stop parsing as quickly as possible" was not
backported).
* Add CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch.
CVE-2015-7500: Heap buffer overflow in xmlParseMisc.
.
[ libxml2 (2.7.8.dfsg-2+squeeze15) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* fix off by one error for previous patch for CVE-2015-7942
(thanks to Salvatore for spotting this)
* Add patch for CVE-2015-8241 (#806384)
Buffer overread with XML parser in xmlNextChar
* Add patch for CVE-2015-8317_751631
issues in the xmlParseXMLDecl function:
If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
* Add patch for CVE-2015-8317_51603
If the string is not properly terminated do not try to convert
to the given encoding.
.
[ libxml2 (2.7.8.dfsg-2+squeeze14) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* rebuild for correct triggers file
.
[ libxml2 (2.7.8.dfsg-2+squeeze13) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add patch for CVE-2015-7942 (#802827)
.
[ nspr (4.8.6-1+squeeze3) squeeze-lts; urgency=high ]
.
* Non-maintainer upload by the Squeeze LTS team.
* Fix CVE-2015-7183, MFSA-2015-133: heap-buffer overflow in
PL_ARENA_ALLOCATE
.
[ nss (3.12.8-1+squeeze13) squeeze-lts; urgency=medium ]
.
* Non-maintainer upload by the Debian LTS Team.
* Add CVE-2015-7182.patch:
CVE-2015-7182: Heap-based buffer overflow in the ASN.1 decoder
* Add CVE-2015-7181.patch:
* CVE-2015-7181: The sec_asn1d_parse_leaf function improperly restricts
access to an unspecified data structure
* Add autopkgtest for certificate generation/signing and library linking
* Add gbp.conf for LTS
.
[ nss (3.12.8-1+squeeze12) squeeze-lts; urgency=medium ]
.
* Non-maintainer upload by the Debian LTS Team.
* Add CVE-2015-2730.patch:
CVE-2015-2730: ECDSA signature validation fails to handle some
signatures correctly.
* Add CVE-2015-2721.patch:
CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange.
.
[ openldap (2.4.23-7.3+deb6u2) squeeze-lts; urgency=high ]
.
* Import upstream patch to remove an unnecessary assert(0) that could be
triggered remotely by an unauthenticated user by sending a malformed BER
element. (ITS#8240) (CVE-2015-6908) (#798622)
.
[ openssl (0.9.8o-4squeeze22) squeeze-lts; urgency=medium ]
.
* Fix CVE-2015-3195
Checksums-Sha1:
47193c0e4838b5f8ecc3fc143855262c5814e8b6 1548 ia32-libs_20151231.dsc
45bde0ea959035fa692dc913d31553c642a133d8 335222376 ia32-libs_20151231.tar.gz
7c474f8bffce30a6a6bc34c13512aac87b7aca53 34279960 ia32-libs_20151231_amd64.deb
0ebcd6c46d1ce07b1fb29bc7869ed37ddc71a114 13097768 ia32-libs-dev_20151231_amd64.deb
Checksums-Sha256:
46fabfd0fdf76f1b8ce18796088e2ed1d616d777805a89b0a135de5a63b4bd92 1548 ia32-libs_20151231.dsc
b91793240cde0d26a7cc2d535c58cf153e077a106f023347b5a366f26bd23e48 335222376 ia32-libs_20151231.tar.gz
c5d4f2d0f460c70ec068541c1beacd5465467a3fac3d29100cd28907bf45b4f6 34279960 ia32-libs_20151231_amd64.deb
333e848c86544e65f19f35d32440ac66bb0f955b3ce1803054d2776698d7ab5c 13097768 ia32-libs-dev_20151231_amd64.deb
Files:
1b20196b2061fb5d4b99c88273aee647 1548 libs optional ia32-libs_20151231.dsc
4a11f06d82f9f13716cf6aa556e40ba6 335222376 libs optional ia32-libs_20151231.tar.gz
2dc0622d87f256dfb1058d22c2f432a3 34279960 libs optional ia32-libs_20151231_amd64.deb
e02a2db4497d4387d9ecc727af2e47ca 13097768 libdevel extra ia32-libs-dev_20151231_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWhTSVAAoJEFb2GnlAHawEersH/38F624BYsX47eAxbbre7z0I
ZD7XS9huQXNhkkY4OW99vjeHWKvS4dqs7qWZtJkcCyDr1FPWm3XVWejGX/NadROp
8c/RnImKjrriJ7cj0R/O16Z72ZnLewvzscPOq1jWgJ6TcOdxQR41r38wGSzBiqkU
pBP2vKXOhxuS2Ct/am8NlUp9zcNmDkxnOPxD9Q5rok/lH+UUrcBFi1U0A2IHxesi
caqk0L2f2OIjnjMrauv8YMscAUpCwXPJdlGAimMCSwDmgJGAQPgv+ViDAJ2CMsET
x9Mzf2v5Psn90BTOrhI64sfdJ7lJwF2mtVIcz+64Dh4TX7xBGo2nvn65MqaQVhA=
=OY83
-----END PGP SIGNATURE-----