[ubuntu/dapper-security] apache2 (delayed), apache2 2.0.55-4ubuntu2.13 (Accepted)

apache2 (2.0.55-4ubuntu2.13) dapper-security; urgency=low

  * SECURITY UPDATE: denial of service in apr_fnmatch exploitable via
    apache's mod_index
    - debian/patches/122_fnmatch_CVE-2011-0419.patch: rewrite
      apr_fnmatch to have a better time bounds on execution.
    - CVE-2011-0419
    - debian/patches/123_fnmatch_CVE-2011-1928.patch: fix possible
      DoS introduced by patch for CVE-2011-0419.
    - CVE-2011-1928

Date: Sun, 22 May 2011 21:17:32 -0700
Changed-By: Steve Beattie <sbeattie <at> ubuntu.com>
Maintainer: Debian Apache Maintainers <debian-apache <at> lists.debian.org>
https://launchpad.net/ubuntu/dapper/+source/apache2/2.0.55-4ubuntu2.13

Format: 1.7
Date: Sun, 22 May 2011 21:17:32 -0700
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev
apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source
Version: 2.0.55-4ubuntu2.13
Distribution: dapper-security
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache <at> lists.debian.org>
Changed-By: Steve Beattie <sbeattie <at> ubuntu.com>
Description: 
 apache2    - next generation, scalable, extendable web server

[ubuntu/dapper-security] postfix, postfix (delayed) 2.2.10-1ubuntu0.4 (Accepted)

postfix (2.2.10-1ubuntu0.4) dapper-security; urgency=low

  * SECURITY UPDATE: SASL memory corruption
    - debian/patches/CVE-2011-1720.dpatch: don't reuse the SASL handle
      after auth failure in src/smtpd/smtpd_sasl_proto.c.
    - CVE-2011-1720

Date: Tue, 10 May 2011 08:46:31 -0400
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Maintainer: LaMont Jones <lamont <at> debian.org>
https://launchpad.net/ubuntu/dapper/+source/postfix/2.2.10-1ubuntu0.4

Format: 1.7
Date: Tue, 10 May 2011 08:46:31 -0400
Source: postfix
Binary: postfix-doc postfix-pgsql postfix-ldap postfix-dev postfix-pcre postfix postfix-mysql
Architecture: source
Version: 2.2.10-1ubuntu0.4
Distribution: dapper-security
Urgency: low
Maintainer: LaMont Jones <lamont <at> debian.org>
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Description: 
 postfix    - A high-performance mail transport agent
 postfix-dev - Postfix loadable modules development environment
 postfix-doc - Postfix documentation
 postfix-ldap - LDAP map support for Postfix
 postfix-mysql - MYSQL map support for Postfix
 postfix-pcre - PCRE map support for Postfix

[ubuntu/dapper-security] php5 (delayed), php5 5.1.2-1ubuntu3.24 (Accepted)

php5 (5.1.2-1ubuntu3.24) dapper-security; urgency=low

  * debian/patches/pear/php5-pear-CVE-2011-1144_regression.patch: fix
    mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452)
  * debian/patches/php5-CVE-2010-4697_regression.patch: fix regression
    in reference counting added by fix for CVE-2010-4697 (LP: #776642)

Date: Wed, 04 May 2011 00:46:19 -0700
Changed-By: Steve Beattie <sbeattie <at> ubuntu.com>
Maintainer: Debian PHP Maintainers <pkg-php-maint <at> lists.alioth.debian.org>
https://launchpad.net/ubuntu/dapper/+source/php5/5.1.2-1ubuntu3.24

Format: 1.7
Date: Wed, 04 May 2011 00:46:19 -0700
Source: php5
Binary: php5-mysqli php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi
php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql
php5-common php5-dev php5-snmp php5-sqlite
Architecture: source
Version: 5.1.2-1ubuntu3.24
Distribution: dapper-security
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint <at> lists.alioth.debian.org>
Changed-By: Steve Beattie <sbeattie <at> ubuntu.com>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)

[ubuntu/dapper-security] perl (delayed), perl 5.8.7-10ubuntu1.3 (Accepted)

perl (5.8.7-10ubuntu1.3) dapper-security; urgency=low

  * SECURITY UPDATE: multiple intended restriction bypasses in Safe.pm
    - debian/patches/71_CVE-2010-1168: update Safe.pm to version 2.29 to
      fix multiple issues.
    - CVE-2010-1168
    - CVE-2010-1447
  * SECURITY UPDATE: multiple issues in CGI.pm: hardcoded MIME boundary,
    and CRLF injections.
    - debian/patches/72_cgi-multiline-header: fix issues with patch
      obtained from (5.10.1-17).
    - CVE-2010-2716
    - CVE-2010-4410
    - CVE-2010-4411

Date: Fri, 22 Apr 2011 13:05:34 -0400
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Maintainer: Brendan O'Dea <bod <at> debian.org>
https://launchpad.net/ubuntu/dapper/+source/perl/5.8.7-10ubuntu1.3

Format: 1.7
Date: Fri, 22 Apr 2011 13:05:34 -0400
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: source
Version: 5.8.7-10ubuntu1.3
Distribution: dapper-security
Urgency: low
Maintainer: Brendan O'Dea <bod <at> debian.org>

[ubuntu/dapper-security] php5 (delayed), php5 5.1.2-1ubuntu3.22 (Accepted)

php5 (5.1.2-1ubuntu3.22) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary files removal via cronjob
    - debian/php5-common.php5.cron.d: take greater care when removing
      session files.
    - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
    - CVE-2011-0441
  * SECURITY UPDATE: symlink tmp races in pear install
    - debian/patches/php5-pear-CVE-2011-1072.patch: improved
      tempfile handling.
    - debian/rules: apply patch manually after unpacking PEAR phar
      archive.
    - CVE-2011-1072
  * SECURITY UPDATE: more symlink races in pear install
    - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
      file handler.
    - debian/rules: apply patch manually after unpacking PEAR phar
      archive.
    - CVE-2011-1144
  * SECURITY UPDATE: use-after-free vulnerability
    - debian/patches/php5-CVE-2010-4697.patch: retain reference to
      object until getter/setter are done.
    - CVE-2010-4697
  * SECURITY UPDATE: denial of service through application crash with
    invalid images
    - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
      steps are either 4 or 16.
    - CVE-2010-4698
  * SECURITY UPDATE: denial of service through application crash when
    handling images with invalid exif tags

[ubuntu/dapper-proposed] langpack-locales 2.3.18.45 (Accepted)

langpack-locales (2.3.18.45) dapper-proposed; urgency=low

  * Replace tzdata2011e.tar.gz with tzdata2011g.tar.gz:
    - Egypt abandons DST in 2011 (and forward)
      (thanks to Alexander Krivenyshev)
    - LP: #770622

Date: Tue, 26 Apr 2011 11:14:22 -0400
Changed-By: Gary Lasker <gary.lasker <at> canonical.com>
Maintainer: Martin Pitt <martin.pitt <at> ubuntu.com>
Signed-By: Martin Pitt <martin.pitt <at> ubuntu.com>
https://launchpad.net/ubuntu/dapper/+source/langpack-locales/2.3.18.45

Format: 1.7
Date: Tue, 26 Apr 2011 11:14:22 -0400
Source: langpack-locales
Binary: locales
Architecture: source
Version: 2.3.18.45
Distribution: dapper-proposed
Urgency: low
Maintainer: Martin Pitt <martin.pitt <at> ubuntu.com>
Changed-By: Gary Lasker <gary.lasker <at> canonical.com>
Description: 
 locales    - common files for locale support
Changes: 
 langpack-locales (2.3.18.45) dapper-proposed; urgency=low
 .
   * Replace tzdata2011e.tar.gz with tzdata2011g.tar.gz:

[ubuntu/dapper-security] openslp, openslp (delayed) 1.2.1-5ubuntu0.2 (Accepted)

openslp (1.2.1-5ubuntu0.2) dapper-security; urgency=low

  * SECURITY UPDATE: denial of service via circular reference
    - common/slp_message.c: detect circular reference. Patch thanks to SUSE.
    - CVE-2010-3609

Date: Tue, 05 Apr 2011 15:05:36 -0400
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Maintainer: Ganesan Rajagopal <rganesan <at> debian.org>
https://launchpad.net/ubuntu/dapper/+source/openslp/1.2.1-5ubuntu0.2

Format: 1.7
Date: Tue, 05 Apr 2011 15:05:36 -0400
Source: openslp
Binary: libslp-dev slptool libslp1 openslp-doc slpd
Architecture: source
Version: 1.2.1-5ubuntu0.2
Distribution: dapper-security
Urgency: low
Maintainer: Ganesan Rajagopal <rganesan <at> debian.org>
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Description: 
 libslp-dev - OpenSLP development libraries
 libslp1    - OpenSLP libraries
 openslp-doc - OpenSLP documentation
 slpd       - OpenSLP Server (slpd)
 slptool    - SLP command line tool
Changes: 
 openslp (1.2.1-5ubuntu0.2) dapper-security; urgency=low

[ubuntu/dapper-security] postfix, postfix (delayed) 2.2.10-1ubuntu0.3 (Accepted)

postfix (2.2.10-1ubuntu0.3) dapper-security; urgency=low

  * SECURITY UPDATE: man-in-the-middle via plaintext command injection
    - debian/patches/CVE-2011-0411.dpatch: Discard the contents of the
      stream buffer so there is no pending plaintext in
      src/smtp/smtp_proto.c, src/smtpd/smtpd.c. Backport vstream_fpurge()
      in src/util/vstream.*.
    - CVE-2011-0411
  * SECURITY UPDATE: symlink attack via incorrect pid dir permissions
    - debian/postfix.postinst: create pid dir with appropriate permissions.
    - CVE-2009-2939

Date: Fri, 15 Apr 2011 10:55:16 -0400
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Maintainer: LaMont Jones <lamont <at> debian.org>
https://launchpad.net/ubuntu/dapper/+source/postfix/2.2.10-1ubuntu0.3

Format: 1.7
Date: Fri, 15 Apr 2011 10:55:16 -0400
Source: postfix
Binary: postfix-doc postfix-pgsql postfix-ldap postfix-dev postfix-pcre postfix postfix-mysql
Architecture: source
Version: 2.2.10-1ubuntu0.3
Distribution: dapper-security
Urgency: low
Maintainer: LaMont Jones <lamont <at> debian.org>
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Description: 
 postfix    - A high-performance mail transport agent

[ubuntu/dapper-security] dhcp3, dhcp3 (delayed) 3.0.3-6ubuntu7.2 (Accepted)

dhcp3 (3.0.3-6ubuntu7.2) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted hostname
    - debian/patches/CVE-2011-0997.dpatch: filter strings in
      client/dhclient.c, common/options.c.
    - CVE-2011-0997

Date: Mon, 11 Apr 2011 09:04:51 -0400
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Maintainer: Eloy A. Paris <peloy <at> debian.org>
https://launchpad.net/ubuntu/dapper/+source/dhcp3/3.0.3-6ubuntu7.2

Format: 1.7
Date: Mon, 11 Apr 2011 09:04:51 -0400
Source: dhcp3
Binary: dhcp3-client-udeb dhcp3-common dhcp3-relay dhcp3-dev dhcp3-client dhcp3-server
Architecture: source
Version: 3.0.3-6ubuntu7.2
Distribution: dapper-security
Urgency: low
Maintainer: Eloy A. Paris <peloy <at> debian.org>
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Description: 
 dhcp3-client - DHCP Client
 dhcp3-client-udeb - DHCP Client for debian-installer
 dhcp3-common - Common files used by all the dhcp3* packages
 dhcp3-dev  - API for accessing and modifying the DHCP server and client state
 dhcp3-relay - DHCP Relay
 dhcp3-server - DHCP server for automatic IP address assignment

[ubuntu/dapper-security] tiff (delayed), tiff 3.7.4-1ubuntu3.11 (Accepted)

tiff (3.7.4-1ubuntu3.11) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted
    THUNDER_2BITDELTAS data
    - debian/patches/z_CVE-2011-1167.patch: validate bitspersample and
      make sure npixels is sane in libtiff/tif_thunder.c.
    - CVE-2011-1167

Date: Wed, 30 Mar 2011 13:34:17 -0400
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Maintainer: Jay Berkenbilt <qjb <at> debian.org>
https://launchpad.net/ubuntu/dapper/+source/tiff/3.7.4-1ubuntu3.11

Format: 1.7
Date: Wed, 30 Mar 2011 13:34:17 -0400
Source: tiff
Binary: libtiff-opengl libtiffxx0c2 libtiff4 libtiff-tools libtiff4-dev
Architecture: source
Version: 3.7.4-1ubuntu3.11
Distribution: dapper-security
Urgency: low
Maintainer: Jay Berkenbilt <qjb <at> debian.org>
Changed-By: Marc Deslauriers <marc.deslauriers <at> ubuntu.com>
Description: 
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface

[ubuntu/dapper-proposed] langpack-locales 2.3.18.44 (Accepted)

langpack-locales (2.3.18.44) dapper-proposed; urgency=low

  * Replace tzdata2011d.tar.gz with tzdata2011e.tar.gz:
    - africa: Add start and end of DST in 2011 in Morocco.
    - southamerica: For Chile, delay end of DST in 2011 from April 2nd to May 7th
    - LP: #747946

Date: Sat, 02 Apr 2011 17:22:26 -0400
Changed-By: Gary Lasker <gary.lasker <at> canonical.com>
Maintainer: Martin Pitt <martin.pitt <at> ubuntu.com>
Signed-By: Martin Pitt <martin.pitt <at> ubuntu.com>
https://launchpad.net/ubuntu/dapper/+source/langpack-locales/2.3.18.44

Format: 1.7
Date: Sat, 02 Apr 2011 17:22:26 -0400
Source: langpack-locales
Binary: locales
Architecture: source
Version: 2.3.18.44
Distribution: dapper-proposed
Urgency: low
Maintainer: Martin Pitt <martin.pitt <at> ubuntu.com>
Changed-By: Gary Lasker <gary.lasker <at> canonical.com>
Description: 
 locales    - common files for locale support
Changes: 
 langpack-locales (2.3.18.44) dapper-proposed; urgency=low
 .
   * Replace tzdata2011d.tar.gz with tzdata2011e.tar.gz: