Preparation of Debian GNU/Linux 3.0r1

Try to sync architectures.

There is an m68k package hooked up in testing-proposed-updates as well.

The arm package was built on July 4th, but didn't make it into the archive, strangely.

DSA-187 apache - several vulnerabilities

DSA-195 apache-perl - several vulnerabilities

DSA-188 apache-ssl - several vulnerabilities

Guido writes:

- it don't lets failures to read from an ext2 fs completely crash the loader (like when you enter a non existent partition in the prom)

- it introduces tip22 as a separate binary package[1], a "piggyback" style tftp loader that is used to pack kernel and initrd into one ecoff file which can be tftpbooted. This finally solves the whole initrd issues on mips. Without that mips will not be able to use kernels > 2.4.16 since Ralf revamped head.S(among others) which breaks our current addinitrd method completely. Agreed, we could revert the head.S changes but I'd rather like to avoid that because we might trip on unwanted side effects. I already have a 2 line patch against bootfloppies to use tip22 but don't want to commit it until it's sure tip22 can go into r1.

Package broken in woody

DSA-173 bugzilla - privilege escalation

Upstream reported: Due to license issues with the libedc_ecc library that is used by and distributed with cdrdao I have to temporarily freeze this project. All releases have been removed.

See http://sourceforge.net/forum/forum.php?forum_id=213313

See http://bugs.debian.org/162788

DSA-197 courier - buffer overflow

* Added default path so the upgrade will work fine. Thanks to Donovan Baarda <abo@minkirri.apana.org.au> for pointing out the problem. Closes: #158869.

Rationale: Without the path, this package doesn't run out of the box on woody anymore.

On a machine which was upgraded from potato to woody a couple of months before release, there is a wrong entry in transitional.cat, which causes debiandoc to be unusable. My opinion is, it is bad enough (and simple enough to fix) so that it must go into 3.0r1.

* debian/postinst: added invocation of 'install-sgmlcatalog --remove debiandoc-sgml' to clean up cruft potentially left over from the SGML catalog transition in a potato -> woody upgrade (closes: Bug#154737)

* Rebuild of 0.1.17.8 for woody to pull in race condition fix and missing package dependency fixes, among others.

I've been pestered that boot-floppies/debian-installer people need this.

woody does not need µdeb's though. Branden Robinson agreed to upload a "fixed" version that doesn't produce the µdeb. However that hasn't yet happened.

Update: James said that udebs won't be visible in stable, so they should not cause problems. Let's hope he is correct.

* ext2.c: Gracefully fail on filesystems with journals (closes: #118635). This fixes a bug that causes filesystem corruption when defrag is run on ext3 filesystems.

DSA-146 dietlibc - integer overflow

Don't depend on obsolete library anymore.

This bug is just an incorrect dependency in the control file, which makes docbook-xml-slides insist on pulling the obsolete docbook-xsl-stylesheets instead of recent docbook-xsl. This in turns causes other packages to be uninstallable, because they correctly depend on the new one.

Get architectures in sync (IA-64 is missing, though, but the package doesn't seem to compile at all on that arch)

DSA-156 epic4-script-light - arbitrary script execution

Fixed a typo that broke image creation with mkisofs if only the image was being created, ie if not part of create image/burn operation

DSA-162 ethereal - buffer overflow

DSA-154 fam - privilege escalation

DSA-171 fetchmail - buffer overflows

DSA-171 fetchmail - buffer overflows

DSA-201 freeswan - denial of service

DSA-158 gaim - arbitrary program execution

DSA-138 gallery - remote exploit

DSA-149 glibc - integer overflow

DSA-179 gnome-gv - buffer overflow

According to the bug reports mentioned in the changelog, one program from this package crashed upon startup, rendering it useless. Hence, an update.

* Fixing RC bugs: + Closes: #145411: Gnomecal segfaults upon start + Closes: #145517: gnomecal segfaults at startup + Closes: #151781 (for stable): Problem loading GnomeCal conduit + Closes: #155221: Gnomecal segfaults upon start and no fixed version of gnome-pim is available in stable

DSA-205 gtetrinet - buffer overflow

DSA-176 gv - buffer overflow

DSA-174 heartbeat - buffer overflow

DSA-169 htcheck - cross site scripting

DSA-192 html2ps - arbitrary code execution

Get architectures back in sync

DSA-148 hylafax - buffer overflows and format string vulnerabilities

DSA-202 im - insecure temporary files

Lots of intrusive changes, only one is priority high and it only affects people with ataraid. Suited for unstable.

Automatic module loading is broken from 2.4.19 upwards, which means that the initrd-tools in stable will NOT work. This version is the first one that uses pivot_root which works around this and doesn't contain any major bugs unlike all previous versions uploaded to unstable.

DSA-150 interchange - illegal file exposition

DSA-157 irssi-text - denial of service

non-US

Get architectures in sync.

DSA-182 kdegraphics - buffer overflow

DSA-155 kdelibs - privacy escalation with Konqueror

DSA-167 kdelibs - cross site scripting

DSA-204 kdelibs - arbitrary program execution

Fixed i386 lcall DoS (Petr Vandrovec).

New upstream source with several fixes.

* Integrated a new kernel-patch from the IBM Developerworks website (released on 2002.06.12). This patch fixes the DASD deadlock problem and some other severe problems. * Removed NMU DASD deadlock fix. * Integrated a new kernel-patch from the IBM Developerworks website (released on 2002.08.16). This patch fixes a problem related to the IUCV driver.

This sounds like a more or less regular update to me, which should not target the stable release.

Gerhard Tonn wrote: This is not true. The woody kernel is definitely broken on s390, deadlock in I/O code. Fortunately we have a working kernel as part of the boot-floppies, so that most of our users didn't notice it, but we had already several problems with the kernel when users build their own. So please accept the update. We need not only the kernel-patch, but also an update of the kernel-image. It wasn't accepted by katie, probably because katie accepts only one .udeb per package and architecture.

New kernel with security updates

The files in stable should be removed, i.e. updated by the new ones.

* Integrated a new kernel-patch from the IBM Developerworks website (released on 2002.06.12). This patch fixes the DASD deadlock problem and some other severe problems. * Removed NMU DASD deadlock fix. * Integrated a new kernel-patch from the IBM Developerworks website (released on 2002.08.16). This patch fixes a problem related to the IUCV driver.

This sounds like a more or less regular update to me, which should not target the stable release.

Gerhard Tonn wrote: This is not true. The woody kernel is definitely broken on s390, deadlock in I/O code. Fortunately we have a working kernel as part of the boot-floppies, so that most of our users didn't notice it, but we had already several problems with the kernel when users build their own. So please accept the update. We need not only the kernel-patch, but also an update of the kernel-image. It wasn't accepted by katie, probably because katie accepts only one .udeb per package and architecture.

Kernel with security fixes

New kernel with security corrections. The new package should supersede an older one.

DSA-143 krb5 - integer overflow

DSA-183 krb5 - buffer overflow

DSA-152 l2tpd - missing random seed

* "Major Brown Bag"-release. * Make shlibs depend on libgd1-noxpm (not the non-existing libgd1- xpm). This closes: bug#143856 - thanks to Ben Finney <bignose@zip.com.au> for being awake when I am not. * Set urgency=high - same reasoning as -16.

woody2 fix uninstallable on ia32 due to broken dependencies, fixed packages are to be uploaded soon.

Move from non-US to main.

DSA-140 libpng - buffer overflow

Backported change for C code from unstable version (1.4.6) to fix major brokenness (Closes: #162385)

The changes are too instrusive and large for me to check or author them. An inquiry to the bug reporter is sent and should help clarification.

DSA-186 log2mail - buffer overflow

* Backported fix for file-existence-error bug from unstable version. (Closes: #153414). Release manager: this is just a one-character change from 'test -f' to 'test -L', where the latter is the right thing to do, is being done so for the other three cases, and works as is for a few months now in unstable

The bug report demonstrates that the package is not installable under certain circumstances without this fix.

DSA-189 luxman - local root exploit

DSA-147 mailman - cross-site scripting

Plus: Fix a permission bug that renders the package uninstallable (upgrade with corrected perms would work, though)

DSA-153 mantis - cross site code execution and privilege escalation

DSA-161 mantis - privilege escalation

DSA-194 masqmail - buffer overflows

DSA-163 mhonarc - cross site scripting

DSA-199 mhonarc - cross site scripting

DSA-137 mm - insecure temporary files

DSA-141 mpack - buffer overflow

Rebuilt against current atlas-dev from stable to fix broken dependencies (similar to octave2.1)

Doesn't build on alpha due to lapack problems, but alpha packages didn't suffer from the atlas brokeness anyway, so that's no problem.

MISSING alpha

The woody package was useless since the path was changed.

Corrected the logfile security fix.

The package in woody will break violently if you are installing it on a kernel without hotplug support, and will refuse to be removed if your kernel doesn't have hotplug support.

nano.c: hardcode a --disable-wrapping-as-root backport to the stable version. If, as root, you want to enable wrapping, use the Meta-W toggle to enable it after starting nano (fixes: #127634 + 5 more).

Why do people think µdebs are good for woody? They aren't. Try again.

Update: James said that udebs won't be visible in stable, so they should not cause problems. Let's hope he is correct.

Get architectures in sync (despite BNMU)

DSA-180 nis - information leak

DSA-198 nullmailer - denial of service

Fixed postinst-ocamlld so it will now do its work also when upgrading a package, and not only when removing it.

Rebuilt against current atlas*-dev package with corrected shlibs.default to ensure proper handling of virtual depends on blas2 with default of blas and atlas2-base

DSA-142 openafs - integer overflow

Get architectures in sync

Built for kernel-image-2.2.22-*.

There should probably be a reiserfs update as well, but it's currently missing. Older packages should be replaced.