====================================== Sat, 16 Feb 2019 - Debian 9.8 released ====================================== ========================================================================= [Date: Sat, 16 Feb 2019 09:45:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debian-parl | 1.9.10 | source parl-data | 1.9.10 | all parl-desktop | 1.9.10 | all parl-desktop-eu | 1.9.10 | all parl-desktop-strict | 1.9.10 | all parl-desktop-world | 1.9.10 | all Closed bugs: 921749 ------------------- Reason ------------------- RoQA; depends on broken / removed Firefox plugins ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:45:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: xul-ext-y-u-no-validate | 2013052407-3 | all y-u-no-validate | 2013052407-3 | source Closed bugs: 908405 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:46:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozvoikko | 2.2-0.1 | source xul-ext-mozvoikko | 2.2-0.1 | all Closed bugs: 912465 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:47:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: personasplus | 1.7.8-1 | source xul-ext-personasplus | 1.7.8-1 | all Closed bugs: 913436 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:48:00 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: corebird | 1.4.1-1+deb9u1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 915292 ------------------- Reason ------------------- RoM; broken by Twitter API changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:49:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: firefox-branding-iceweasel | 0.4.0 | source xul-ext-iceweasel-branding | 0.4.0 | all Closed bugs: 918160 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:49:37 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: imap-acl-extension | 0.2.7-1 | source xul-ext-imap-acl | 0.2.7-1 | all Closed bugs: 918254 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:50:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: toggle-proxy | 1.9-2 | source xul-ext-toggle-proxy | 1.9-2 | all Closed bugs: 918257 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:51:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-password-editor | 2.10.3-1 | source xul-ext-password-editor | 2.10.3-1 | all Closed bugs: 918258 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:52:30 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: firefox-kwallet5 | 1.0-2 | source xul-ext-kwallet5 | 1.0-2 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 918346 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:55:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: adblock-plus | 2.7.3+dfsg-1 | source xul-ext-adblock-plus | 2.7.3+dfsg-1 | all Closed bugs: 918347 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:56:40 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-dom-inspector | 1:2.0.16-2 | source xul-ext-dom-inspector | 1:2.0.16-2 | all Closed bugs: 918349 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:56:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: browser-plugin-spice | 2.8.90-5 | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x spice-xpi | 2.8.90-5 | source Closed bugs: 918350 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:57:26 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: flickrbackup | 0.2-3.1 | source, all Closed bugs: 919797 ------------------- Reason ------------------- RoM; ancient; abandoned upstream; deprecated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:57:46 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-formalchemy | 1.4.2-1 | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x Closed bugs: 920560 ------------------- Reason ------------------- RoQA; unusable, fails to import in python ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:01 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: flashblock | 1.5.20-2 | source xul-ext-flashblock | 1.5.20-2 | all Closed bugs: 920717 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:19 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: refcontrol | 0.8.17-3 | source xul-ext-refcontrol | 0.8.17-3 | all Closed bugs: 920718 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:58:54 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: cookie-monster | 1.3.0.5-1 | source xul-ext-cookie-monster | 1.3.0.5-1 | all Closed bugs: 920719 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:59:38 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: requestpolicy | 1.0.0~beta12.3+dfsg-1 | source xul-ext-requestpolicy | 1.0.0~beta12.3+dfsg-1 | all Closed bugs: 920722 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 09:59:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: mozilla-noscript | 2.9.0.14-1 | source xul-ext-noscript | 2.9.0.14-1 | all Closed bugs: 920724 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:15 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debianbuttons | 1.11-3 | source xul-ext-debianbuttons | 1.11-3 | all Closed bugs: 921129 ------------------- Reason ------------------- RoQA; incompatible with newer firefox-esr versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: calendar-exchange-provider | 3.9.0-4 | source, all Closed bugs: 921932 ------------------- Reason ------------------- RoM; incompatible with newer Thunderbird versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:00:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libwww-topica-perl | 0.6-5 | source, all Closed bugs: 922110 ------------------- Reason ------------------- RoQA; useless due to Topica site removal ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:14:07 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libnvidia-egl-wayland1 | 384.130-1 | amd64, armhf, i386 nvidia-egl-wayland-common | 384.130-1 | amd64, armhf, i386 nvidia-egl-wayland-icd | 384.130-1 | amd64, armhf, i386 ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by nvidia-graphics-drivers) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 16 Feb 2019 10:25:58 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: python-certbot | 0.10.2-1 | all ------------------- Reason ------------------- [cruft] NBS (no longer built by python-certbot) ---------------------------------------------- ========================================================================= arc (5.21q-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix version 1 arc header reading * Fix arcdie crash when called with more then 1 variable argument * Fix directory traversal bugs (CVE-2015-9275) Thanks to Hans de Goede (Closes: #774527) astroml-addons (0.2.2-4~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . astroml-addons (0.2.2-4) unstable; urgency=medium . * Push Standards-Version to 4.0.0. No changes needed. . [ Scott Kitterman ] * Correct substitution variable for python3 binary so correct python3 interpreter depends are provided. Closes: #867243 base-files (9.9+deb9u8) stretch; urgency=medium . * Change /etc/debian_version to 9.8, for Debian 9.8 point release. c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium . * Team upload. * Fix CVE-2018-20433. A XML External Entity (XXE) vulnerability was discovered in c3p0 that may be used to resolve information outside of the intended sphere of control. (Closes: #917257) ca-certificates-java (20170929~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . ca-certificates-java (20170929) unstable; urgency=low . [ Gianfranco Costamagna ] * Team upload. * Ack previous NMU, thanks . [ Rico Tzschichholz ] * Fix temporary jvm-*.cfg generation on armhf (Closes: #874276) - the armhf installation path is different from other architectures. ceph (10.2.11-2) stretch-security; urgency=medium . [ James Page ] * [d34d35] Fix build on i386 (Closes: #913909) ceph (10.2.11-1) stretch-security; urgency=medium . * [1aebf9] New upstream version 10.2.11 Fixes the following security vulnerabilities: - CVE-2017-7519: libradosstripper printf format string injection vulnerability - CVE-2018-1128: The cephx authentication protocol was vulnerable to a replay attack. - CVE-2018-1129: Cephx signature calculation did not cover the whole message being sent. This allowed an attacker to alter parts of the message. - CVE-2018-1086: A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. * [20b8e7] Replace sleep-recover.patch by reconnect-after-mds-reset.patch * [33f8d2] Remove CVE-2016-9597 patch applied upstream * [a9c2ee] Remove disable-openssl-linking.patch fixed upstream The upstream solution requires a build dependency on libssl-dev to be able to look up the sonames. The resulting code is not linked against libssl but can dlopen it at runtime. * [edc23d] Remove osd-limit-omap-data-in-push-op.patch applied upstream * [9dd30c] Remove rgw_rados-creation_time.patch applied upstream * [fff91f] Refresh patches * [c2925f] Update symbols for librbd1 (added in 10.2.6) ceph (10.2.7-0exp1) experimental; urgency=medium . [ James Page ] * [585f53] New upstream version 10.2.6 . [ Gaudenz Steinlin ] * [41b6fd] New upstream version 10.2.7 * [916972] Remove patch "cve-2016-9579_short_cors_request" applied upstream * [541204] Remove patch "disable-openssl-linking" sovled upstream * [60cc3d] Remove patch "osd-limit-omap-data-in-push-op" applied upstream * [ee0f76] Remove patch "rgw_rados-creation_time" applied upstream * [f07cb0] Refresh patches for 10.2.7 * [be7663] Build depend on libssl-dev. This is only needed to satisfy the build system checks the resulting binary is not linked against openssl and only dlopens it at runtime. So there is no GPL violation. chkrootkit (0.50-4+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Backport fix for regular expression for filtering out dhcpd and dhclient as false positives from the packet sniffer test. . [ Lorenzo "Palinuro" Faletra ] * Update /etc/cron.daily/chkrootkit (Closes: #600109) chromium-browser (70.0.3538.110-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2018-17479: Use-after-free in GPU. chromium-browser (70.0.3538.102-1) unstable; urgency=medium . * New upstream security release. - CVE-2018-17478: Out of bounds memory access in V8. Reported by cloudfuzzer * Fix new lintian warnings. * Drop libjs-excanvas build dependency. * Add support for building with harfbuzz 2.1.1. * Document how to run chromium as root (closes: #838534). * Output debian specific instructions when no working sandbox is available. * Do not rely on transitive recommendation for the sandbox (closes: #913116). chromium-browser (70.0.3538.102-1~deb9u1) stretch-security; urgency=medium . * New upstream security release. - CVE-2018-17478: Out of bounds memory access in V8. Reported by cloudfuzzer * Eliminate unintended dependency on gconf-service (closes: #913926). * Restore arm64 crashpad patch mistakenly dropped in the previous upload. chromium-browser (70.0.3538.67-3) unstable; urgency=medium . * Fix a compiler warning. * Move the setuid sandbox into a separate package (closes: #839277). chromium-browser (70.0.3538.67-2) unstable; urgency=medium . * Restore support for building with gtk2. chromium-browser (70.0.3538.67-1) unstable; urgency=medium . * New upstream stable release. - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian - CVE-2018-17466: Memory corruption in Angle. Reported by Omair - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton * Fix build failure on i386. * Fix installation path of the master preferences file (closes: #911056). chromium-browser (70.0.3538.67-1~deb9u1) stretch-security; urgency=medium . * New upstream stable release. - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian - CVE-2018-17466: Memory corruption in Angle. Reported by Omair - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton chromium-browser (70.0.3538.54-2) unstable; urgency=medium . * Build with gcc 8 (closes: #901368). * Move the master preferences file to /etc/chromium (closes: #891232). chromium-browser (70.0.3538.54-1) unstable; urgency=medium . * New upstream beta release. chromium-browser (69.0.3497.100-1) unstable; urgency=medium . * New upstream stable release. * Update standards version to 4.2.1. * Clarify debugging section in README.debian (closes: #910842). * Remove ConvertUTF from the upstream tarball (closes: #900596). * Load all extensions installed to /usr/share/chromium/extensions. - Thanks to Michael Meskes (closes: #890392). * Remove audio_capture_enable setting from the default preferences (closes: #884887). chromium-browser (69.0.3497.92-1) unstable; urgency=medium . * New upstream security release. - Function signature mismatch in WebAssembly. Reported by Kevin Cheung - URL Spoofing in Omnibox. Reported by evi1m0 compactheader (2.1.6-1~deb9u1) stretch; urgency=medium . [ Carsten Schoenert ] * Rebuild for Stretch (Closes: #918167) * [93f8afe] debhelper: decrease to version available in stretch * [8fd6a50] d/compat: decrease accordingly to version 10 compactheader (2.1.5-1) unstable; urgency=medium . [ David Prévot ] * [faa4ffb] Drop Icedove from description * [58353f3] Update Standards-Version to 3.9.7 . [ Carsten Schoenert ] * [c9d19db] Adding debian/gbp.conf to make life easier * [5e31e42] New upstream version 2.1.5 (Closes: #891433) * [a7e96da] Add a patch queue * [15ea418] d/rules: don't install unneeded files and folder Don't install and ship files from the folder test and the files Readme.md build.xml which aren't needed for the use of the package. * [6d45fe5] d/rules: remove the get-orig-source target The old get-orig-source Makefile target isn't needed and can be dropped in favor of using uscan directly. * [449a5e1] bumping debhelper and compat to version 11 Let's use a recent debhelper version. * [27ff6a3] d/control: increase Standards-Version to 4.1.4 No further changes needed. * [8a365a5] d/control: move package over to pkg-mozext-team on salsa Alioth will be going offline and the successor platform is Salsa. * [891ab67] d/control: adding myself as uploader Thanks to William for working on compactheader in the past! (Closes: #892410) * [23957a9] d/control: adjust Maintainer field due changed email address Due changes for the Alioth host the Maintainer email is also changing to a new domain. compactheader (2.1.1~beta1-1) experimental; urgency=medium . * Team upload . [ jmozmoz ] * Add Portuguese translation courier (0.76.3-5+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport @piddir@ substitution from 1.0.5-1. . [ Markus Wanner ] * Extend patch 0018-Fix-default-configuration-for-Debian.patch with the piddir addition proposed by Willi Mann. Closes: #875696. cups (2.2.1-8+deb9u3) stretch; urgency=low . * Backport upstream fixes for: - CVE-2017-18248: DBUS notifications could crash the scheduler - CVE-2018-4700: Linux session cookies used a predictable random number seed (Closes: #915909) curl (7.52.1-5+deb9u9) stretch-security; urgency=high . * Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890 https://curl.haxx.se/docs/CVE-2018-16890.html * Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822 https://curl.haxx.se/docs/CVE-2019-3822.html * Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823 https://curl.haxx.se/docs/CVE-2019-3823.html debian-edu-config (1.929+deb9u3) stretch; urgency=medium . [ Wolfgang Schweer ] * debian-edu-config.chromium-ldapconf: Remove slapd start requirement. . debian-edu-config (1.929+deb9u2) stretch; urgency=medium . [ Wolfgang Schweer ] * Fix configuration of personal web pages. (Closes: #866228). - Set right order of linking in cf/cf.apache2. - Add conditional code to d/d-e-c.postinst to fix the wrong configuration generated via the cfengine run during main server installation (introduced in version 1.926). * Re-enable offline installation of a combi server including diskless workstation support. (Closes: #867271, #904331). - 015-edu-apt-source: fix apt-get options to be able to use a repo of type 'file://'. As 'media/cdrom/' in the LTSP chroot is treated as such a repo, add 'acquire::check-valid-until=0' to APT_GET_OPTS; otherwise installation fails because the Release file is expired. - 032-edu-pkgs: Move all diskless workstation installation parts to the finalization stage of LTSP chroot installation. * Enable Chromium homepage setting at installation time and via LDAP as further improvements for the fix for bug #891262 in version 1.929+deb9u1: - Add cf/cf.chromium (cfengine). - Add debian/debian-edu-config.chromium-ldapconf (init script). - Add share/debian-edu-config/tools/update-chromium-homepage (used by both cfengine and the init script). - Adjust Makefile and debian/rules. . [ Mike Gabriel ] * update-chromium-homepage: - Don't complain about non-existing config file when attempting its removal. - Don't statically set http://www as homepage, use detected homepage instead. (Closes: #911790) debian-edu-config (1.929+deb9u2) stretch; urgency=medium . [ Wolfgang Schweer ] * Fix configuration of personal web pages. (Closes: #866228). - Set right order of linking in cf/cf.apache2. - Add conditional code to d/d-e-c.postinst to fix the wrong configuration generated via the cfengine run during main server installation (introduced in version 1.926). * Re-enable offline installation of a combi server including diskless workstation support. (Closes: #867271, #904331). - 015-edu-apt-source: fix apt-get options to be able to use a repo of type 'file://'. As 'media/cdrom/' in the LTSP chroot is treated as such a repo, add 'acquire::check-valid-until=0' to APT_GET_OPTS; otherwise installation fails because the Release file is expired. - 032-edu-pkgs: Move all diskless workstation installation parts to the finalization stage of LTSP chroot installation. * Enable Chromium homepage setting at installation time and via LDAP as further improvements for the fix for bug #891262 in version 1.929+deb9u1: - Add cf/cf.chromium (cfengine). - Add debian/debian-edu-config.chromium-ldapconf (init script). - Add share/debian-edu-config/tools/update-chromium-homepage (used by both cfengine and the init script). - Adjust Makefile and debian/rules. . [ Mike Gabriel ] * update-chromium-homepage: - Don't complain about non-existing config file when attempting its removal. - Don't statically set http://www as homepage, use detected homepage instead. (Closes: #911790) debian-installer-netboot-images (20170615+deb9u5.b2) stretch; urgency=medium . * Update to 20170615+deb9u5+b2 images, from stretch-proposed-update debian-security-support (2019.02.01~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch, without d/control changes. debian-security-support (2019.01.19) unstable; urgency=medium . * Team upload. . [ Holger Levsen ] * d/control: - bump standards version to 4.3.0. - bump debhelper compat to 11, use the new debhelper-compat(=11) notation and drop d/compat. - add "Rules-Requires-Root: no" to support building as non-root. debian-security-support (2018.11.25) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark jasperreports as end-of-life in Jessie. . [ Salvatore Bonaccorso ] * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) . [ Holger Levsen ] * Bump standards version to 4.2.1. . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/changelog: Remove trailing whitespaces. debian-security-support (2018.11.25~deb9u1) stretch; urgency=medium . * Team upload. * Rebuild for stretch. . debian-security-support (2018.11.25) unstable; urgency=medium . * Team upload. . [ Markus Koschany ] * Mark jasperreports as end-of-life in Jessie. . [ Salvatore Bonaccorso ] * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) . [ Holger Levsen ] * Bump standards version to 4.2.1. . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field. * d/changelog: Remove trailing whitespaces. . debian-security-support (2018.06.08) unstable; urgency=medium . * Add .gitlab-ci.yml configuration * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) . debian-security-support (2018.05.20) unstable; urgency=medium . * Mark vlc in jessie as end-of-life as per DSA 4203-1 . debian-security-support (2018.05.17) unstable; urgency=medium . [ Antoine Beaupré ] * mark frontaccounting as unsupported . [ Markus Koschany ] * Add xulrunner to security-support-ended.deb7 . [ Salvatore Bonaccorso ] * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) * Update Vcs-* headers for switch to salsa.debian.org * Update German translations. Thanks to Chris Leick (Closes: #878321) . debian-security-support (2018.01.29) unstable; urgency=medium . [ Markus Koschany ] * Add teamspeak to security-support-ended.deb7 * Add libstruts1.2-java to security-support-ended.deb7. * Add nvidia-graphics-drivers to security-support-ended.deb7. Non-free is not supported * Add glassfish to security-support-ended.deb7 * Mark jbossas4 as end-of-life in Wheezy. * Mark jasperreports as unsupported in Wheezy. No sponsor users it. Targeted fixes not possible because detailed information about the vulnerabilities and their solution (patches) is not available. . [ Salvatore Bonaccorso ] * Mark chromium-browser as end-of-life for Debian 8 (Jessie) . [ Raphaël Hertzog ] * Mark libnet-ping-external-perl as unsupported in wheezy. * Mark mp3gain as unsupported in wheezy. . [ Emilio Pozuelo Monfort ] * Mark tor as unsupported in wheezy. . [ Guido Günther ] * Add swftools to security support limited swftools is orphaned (#885088) and the security tracker is currently counting 25 open CVEs. It is a useful tool with trusted content though. * Bump standards version to 4.1.3. No changes needed * Bump debhelper compat level to 9 which is available in oldoldstable (wheezy). debian-security-support (2018.06.08) unstable; urgency=medium . * Add .gitlab-ci.yml configuration * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) debian-security-support (2018.05.20) unstable; urgency=medium . * Mark vlc in jessie as end-of-life as per DSA 4203-1 debian-security-support (2018.05.17) unstable; urgency=medium . [ Antoine Beaupré ] * mark frontaccounting as unsupported . [ Markus Koschany ] * Add xulrunner to security-support-ended.deb7 . [ Salvatore Bonaccorso ] * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) * Update Vcs-* headers for switch to salsa.debian.org * Update German translations. Thanks to Chris Leick (Closes: #878321) debian-security-support (2018.01.29) unstable; urgency=medium . [ Markus Koschany ] * Add teamspeak to security-support-ended.deb7 * Add libstruts1.2-java to security-support-ended.deb7. * Add nvidia-graphics-drivers to security-support-ended.deb7. Non-free is not supported * Add glassfish to security-support-ended.deb7 * Mark jbossas4 as end-of-life in Wheezy. * Mark jasperreports as unsupported in Wheezy. No sponsor users it. Targeted fixes not possible because detailed information about the vulnerabilities and their solution (patches) is not available. . [ Salvatore Bonaccorso ] * Mark chromium-browser as end-of-life for Debian 8 (Jessie) . [ Raphaël Hertzog ] * Mark libnet-ping-external-perl as unsupported in wheezy. * Mark mp3gain as unsupported in wheezy. . [ Emilio Pozuelo Monfort ] * Mark tor as unsupported in wheezy. . [ Guido Günther ] * Add swftools to security support limited swftools is orphaned (#885088) and the security tracker is currently counting 25 open CVEs. It is a useful tool with trusted content though. * Bump standards version to 4.1.3. No changes needed * Bump debhelper compat level to 9 which is available in oldoldstable (wheezy). dnspython (1.15.0-1+deb9u1) stretch; urgency=medium . * Add debian/patches/0002-fix-error-when-parsing-nsec3-bitmap-from- text.patch from upstream (Closes: #915866) drupal7 (7.52-2+deb9u6) stretch-security; urgency=high . [ William Blough ] * Add upstream fix for DATE_RFC7231 conflict with php7 (Closes: #911791) . [ Gunnar Wolf ] * SA-CORE-2019-001: Vulnerability in a third-party library (related to CVE-2018-1000888) * SA-CORE-2019-002: Arbitrary PHP code execution egg (4.2.0-1.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Skip emacsen-install for unsupported xemacs21. (Closes: #900812) erlang (1:19.2.1+dfsg-2+deb9u2) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport removal of xemacs21 support from 1:21.2+dfsg-2. . [ Sergei Golovan ] * Do not install Erlang mode for XEmacs since it isn't supposed to work with it (closes: #909387). espeakup (1:0.80-5+deb9u3) stretch; urgency=high . * debian/espeakup.service: Fix compatibility with older versions of systemd (Closes: Bug#913453). Also fix starting with empty voice language. firefox-esr (60.5.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2019-02, also known as: CVE-2018-18500, CVE-2018-18505, CVE-2018-18501. firefox-esr (60.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-30, also known as: CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18498, CVE-2018-12405. firefox-esr (60.4.0esr-1~deb9u1) stretch-security; urgency=medium . * New upstream release. * Fixes for mfsa2018-30, also known as: CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, CVE-2018-18498, CVE-2018-12405. . * debian/rules: Use embedded libevent in backports. Closes: #910397. * debian/browser.install.in, debian/rules: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Pass compiler and compiler flags environment variables down to ICU configure. That will make it use GCC instead of defaulting to clang now it's in PATH, avoiding the failing to build the ICU data file on big endian platforms because clang doesn't know some of the GCC flags it somehow got from the environment. . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. firefox-esr (60.3.0esr-3) unstable; urgency=medium . * debian/browser.install.in, debian/rules: Properly copy the watermark to /usr/share/icons/hicolor/symbolic/apps. * debian/rules: Pass compiler and compiler flags environment variables down to ICU configure. That will make it use GCC instead of defaulting to clang now it's in PATH, avoiding the failing to build the ICU data file on big endian platforms because clang doesn't know some of the GCC flags it somehow got from the environment. firefox-esr (60.3.0esr-2) unstable; urgency=medium . * debian/control*: Build depend on unversioned clang/llvm. Closes: #912804. * debian/rules: Use embedded libevent in backports. Closes: #910397. . * build/unix/elfhack/test.c: Try to ensure the bss section of the elfhack testcase stays large enough. bz#1505608. * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB on systems with large pages. bz#1507035. Closes: #911898. firefox-esr (60.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2018-27, also known as: CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, CVE-2018-12397, CVE-2018-12389, CVE-2018-12390. . * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols between libgcc and rust's compiler_builtins. freerdp (1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3) stretch; urgency=medium . * debian/patches: Add security patches. - CVE-2018-8786.patch: The count variable in update_read_bitmap() needs to be UINT32 (not UINT16). - CVE-2018-8787.patch: In gdi_Bitmap_Decompress, check for invalid bpp, width and height before decompressing. CVE-2018-8788.patch: In NSC encode/decode functions, catch data flawed in various ways and bail out with failure. CVE-2018-8789.patch: In ntlm_read_message_fields_buffer, check buffer offset vs. Stream_Length and bail out if not appropriate. - Thanks to Alex Murray for backporting them to FreeRDP 1.1. * debian/patches: + Add 0010_add-support-for-credssp-v3-and-rdpproto-v6.patch. Add CredSSP v3 and RDP proto v6 support. This allows users to connect to recently (since March 2018) updated Microsoft RDP servers again. Thanks to Bernhard Miklautz and Martin Fleisz for helping out with backporting this patch. Much appreciated! * debian/control: + Update Vcs-*: URLs. * debian/lib{freerdp-core1.1,winpr-sspi0.1}.symbols: Update symbols. ganeti-os-noop (0.2-1+deb9u1) stretch; urgency=medium . * debian/control: + Update Vcs-*: fields. VCS repo has been migrated to salsa.debian.org. + Priority extra -> optional. + Update Maintainer: field to 'Debian Ganeti Team ' * debian/patches: + Add 1001_fix-export-script-for-non-block-devices.patch. Fix size detection for non-block devices. Thanks to Bastian Blank for providing the patch. (Closes: #895602). ghostscript (9.26a~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.26a~dfsg + Includes fix for CVE-2019-6116 * Temporarily split ABI at ~ (not a). * Update symbols: 1 private added ghostscript (9.26~dfsg-2) unstable; urgency=high . * Add patches cherry-picked upstream to fix segfault with certain PDFs with -dLastPage=1. Closes: Bug#915832. Thanks to Salvatore Bonaccorso. * Set urgency=high as this is fixes regression in 9.26~dfsg-1. ghostscript (9.26~dfsg-1) unstable; urgency=high . [ upstream ] * New security and bugfix release. . [ Jonas Smedegaard ] * Drop patches cherry-picked upstream now applied. * Unfuzz patch 2009. * Set urgency=high due to high potential for security fixes (beyond those already included as cherry-picked patches). * Update symbols: 12 private added. ghostscript (9.26~dfsg-0+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches cherry-picked upstream to fix segfault with certain PDFs with -dLastPage=1. (Closes: #915832) ghostscript (9.26~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.26~dfsg + Includes fixes for the following security vulnerabilities: CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 * Drop patches cherry-picked upstream now applied * Unfuzz patch 2009. * Update symbols: 12 private added. ghostscript (9.25~dfsg-7) unstable; urgency=medium . * drop obsolete preinst migrations. * Quote variables in package helper update-gsfontmap. * Fix typos in previous changelog entries. * Disable parallel building. Closes: Bug#912847. Thanks to Matthias Klose. ghostscript (9.25~dfsg-6) unstable; urgency=medium . * Add patch cherry-picket upstream to fix cups get/put_params LeadingEdge logic. Closes: Bug#912664. Thanks to Salvatore Bonaccorso. ghostscript (9.25~dfsg-5) unstable; urgency=medium . * Add patch cherry-picket upstream to fix openjpeg segfault if size too large. ghostscript (9.25~dfsg-4) unstable; urgency=high . * Re-release with urgency=high, due to CVE fixes. ghostscript (9.25~dfsg-3) unstable; urgency=medium . * Add patches cherry-picked upstream to fix execution issues. + Implement .currentoutputdevice operator + Change "executeonly" to throw typecheck on gstatetype and devicetype objects + Undefine some additional internal operators. + Fix handling of .needinput if used from interpreter + Ensure all errors are included from initialization + setundercolorremoval memory corruption + copydevice fails after stack device copies invalidated + add operand checking to .setnativefontmapbuilt + add object type check for AES key + Add parameter type checking on .bigstring + zparse_dsc_comments can crash with invalid dsc_state + Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Catch errors and cleanup stack on statusdict page size definitions + Add parameter checking in setresolution + device subclass open_device call must return child code + fix DSC comment parsing in pdfwrite + Check all uses of dict_find* to ensure 0 return properly handled + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Avoid overrunning non terminated string buffer. + Prevent SEGV in gs_setdevice_no_erase. + Fix uninitialised value for render_cond. + Hide the .needinput operator + filenameforall calls bad iodev with insufficent scratch + Improve hiding of security critical custom operators + Prevent SEGV after calling gs_image_class_1_simple. + don't push userdict in preparation for Type 1 fonts + add control over hiding error handlers. + For hidden operators, pass a name object to error handler. + Explicitly exclude /unknownerror from the SAFERERRORLIST + don't include operator arrays in execstack output + Make .forceput unavailable from '.policyprocs' helper dictionary + .loadfontloop must be an operator + font parsing - prevent SEGV in .cffparse Closes: Bug#910678, #910758, #911175 (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284). Thanks to Salvatore Bonaccorso. * Unfuzz patches. * Declare compliance with Debian Policy 4.2.1. * Update symbols: 1 private added. ghostscript (9.25~dfsg-2) unstable; urgency=high . * Add/correct bug-closures for previous releases 9.25~dfsg-1, 9.25~dfsg-1~exp1, 9.24~~rc2~dfsg-1, 9.21~dfsg-1. * Set urgency=high due to recent CVE fixes. ghostscript (9.25~dfsg-1) unstable; urgency=medium . * Stop needlessly install symlinks handled upstream since ~9.05. * Tidy control file: + Wrap-and-sort. + Drop support for auto-resolving package relations or major version. * Update package relations: + Stop needlessly depend on debconf. + Stop build-depend on dh-buildinfo: Effectively unused. + Stop build-depend on libtrio: Unused upstream since 9.18. * Update copyright info: + Wrap-and-sort. + Extend coverage of Debian packaging. Drop unneeded copyrigh signs. + Fix files section licensed as AGPL-3+ (no longer GPL-3+). + Use semantic linefeeds. * Update symbols tracking: + Drop 19 private symbols. + Add 59 private symbols. * Add more bug-closures to previous release 9.25~dfsg-1~exp1. ghostscript (9.25~dfsg-1~exp1) experimental; urgency=medium . [ upstream ] * New bugfix release(s). Closes: Bug#907703, #908300, #908303, #908304, #908305 (CVE-2018-16509, CVE-2018-16543, CVE-2018-16510, CVE-2018-16585). Thanks to Salvatore Bonaccorso. . * Update copyright info: + Stop exclude image containing non-DFSG ICC profile when repackaging upstream source: Fixed upstream. + Fix cover license FTL. * Set Rules-Requires-Root: no. * Update symbols: + Drop commented out obsolete symbols. + Flag as optional symbols not declared in public header files. * Avoid privacy breach linking documentation to jquery: + Add patch 2009 to use local jquery. + Add symlink from relative link to system-shared jquery library. + Have ghostscript-doc depend on libjs-jquery. * Avoid privacy breach linking documentation to font: + Avoid linking to remote fonts in documentation. * Avoid privacy breach linking documentation with Google: + Strip googletagmanager code from documentation. ghostscript (9.25~dfsg-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 9.25~dfsg + Fixes regression using ps2ascii after fix for CVE-2018-17183 (Closes: #909076) + status operator honour SAFER option (CVE-2018-11645) * Drop patches applied upstream * Rebase 2001_docdir_fix_for_debian.patch for 9.25 * Rebase 2010_add_build_timestamp_setting.patch for 9.25 * Add patches cherry-picked upstream to fix execution issues. + Implement .currentoutputdevice operator + Change "executeonly" to throw typecheck on gstatetype and devicetype objects + Undefine some additional internal operators. + Fix handling of .needinput if used from interpreter + Ensure all errors are included from initialization + setundercolorremoval memory corruption + copydevice fails after stack device copies invalidated + add operand checking to .setnativefontmapbuilt + add object type check for AES key + Add parameter type checking on .bigstring + zparse_dsc_comments can crash with invalid dsc_state + Catch errors in setpagesize, .setpagesize and setpagedevice and cleanup + Catch errors and cleanup stack on statusdict page size definitions + Add parameter checking in setresolution + device subclass open_device call must return child code + fix DSC comment parsing in pdfwrite + Check all uses of dict_find* to ensure 0 return properly handled + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + Avoid overrunning non terminated string buffer. + Prevent SEGV in gs_setdevice_no_erase. + Fix uninitialised value for render_cond. + Hide the .needinput operator + filenameforall calls bad iodev with insufficent scratch + Improve hiding of security critical custom operators (CVE-2018-17961) (Closes: #911175) + Prevent SEGV after calling gs_image_class_1_simple. + don't push userdict in preparation for Type 1 fonts + add control over hiding error handlers. (Closes: #909929) + For hidden operators, pass a name object to error handler. (CVE-2018-17961) (Closes: #911175) + Explicitly exclude /unknownerror from the SAFERERRORLIST + don't include operator arrays in execstack output (CVE-2018-18073) (Closes: #910758) + Make .forceput unavailable from '.policyprocs' helper dictionary (CVE-2018-18284) (Closes: #911175) + .loadfontloop must be an operator (CVE-2018-17961) (Closes: #911175) + font parsing - prevent SEGV in .cffparse * openjpeg allocator must return NULL if size too large * debian/copyright: Refresh with version from 9.25~dfsg-5 * debian/libgs9.symbols: Update (and sync from 9.25~dfsg-5) for new version. Adjust version for errorexec_find@Base. * Fix cups get/put_params LeadingEdge logic (cf. #912664) * Avoid privacy breach linking documentation to jquery: + Add patch 2009 to use local jquery. + Add symlink from relative link to system-shared jquery library. + Have ghostscript-doc depend on libjs-jquery. * Avoid privacy breach linking documentation to font: + Avoid linking to remote fonts in documentation. * Avoid privacy breach linking documentation with Google: + Strip googletagmanager code from documentation. ghostscript (9.24~~rc2~dfsg-1) experimental; urgency=medium . [ upstream ] * New prerelease. . * Update copyright info: + Exclude convenience code copy of lcms2mt (not lcms2) and image containing non-DFSG ICC profile when repackaging upstream source. * Update copyright-check maintainer script: Extract metadata from png files. * Update copyright info: + Extend coverage for main upstream author. + Extend coverage for Adobe. * Drop patches cherry-picked upstream since applied. * Unfuzz patches. ghostscript (9.22~dfsg-3) unstable; urgency=high . * Add patches cherry-picked upstream to fix execution issues: + Properly apply file permissions to .tempfile. + Don't just assume an object is a t_(a)struct. + Fix handling of pre-SAFER opened files. + Properly check return value when getting value from a dictionary. + Handle LockDistillerParams not being a boolean. + Fix shading_param incomplete type checking. + Ensure the correct is in place before cleanup. + Check the restore operand type. + Fix memory corruption in aesdecode. + Fix handle stack overflow during error handling. + Avoid sharing pointers between pdf14 compositors. + Improve restore robustness. + Hide the .shfill operator. Closes: Bug#907332. Thanks to Nicolas Braud-Santoni. * Use package section optional (not extra). * Extend lintian overrides regarding License-Reference. * Declare compliance with Debian Policy 4.2.0. ghostscript (9.22~dfsg-2.1) unstable; urgency=medium . * Non-maintainer upload. * Buffer overflow in fill_threshold_buffer (CVE-2016-10317) (Closes: #860869) * pdfwrite - Guard against trying to output an infinite number (CVE-2018-10194) (Closes: #896069) ghostscript (9.22~dfsg-2) unstable; urgency=medium . * Update Vcs-* fields for the move to salsa.d.o ghostscript (9.22~dfsg-1) unstable; urgency=medium . [ upstream ] * New release. Highlights: + Ghostscript can now consume and produce (via the pdfwrite device) PDF 2.0 compliant files. + The main focus of this release has been security and code cleanliness. Hence many AddressSanitizer, Valgrind and Coverity issues have been addressed. + The usual round of bug fixes, compatibility changes, and incremental improvements. . [ Jonas Smedegaard ] * Update copyright info: + Update paths of files to strip from upstream source. + Stop strip ConvertUTF files when repackaging upstream source: No longer included upstream. * Update watch file: Use substitution strings. * Update package relations: + Relax to build-depend unversioned on liblcms2-dev d-shlibs cdbs: Needed versions satisfied even in oldstable * Tighten lintian overrides regarding License-Reference. * Use https protocol for upstream Homepage. * Declare compliance with Debian Policy 4.1.1. * Drop patches applied upstream. * Unfuzz patches. * Update symbols file. ghostscript (9.22~~rc1~dfsg-1) experimental; urgency=medium . [ upstream ] * New release. Highlights: + Ghostscript can now consume and produce (via the pdfwrite device) PDF 2.0 compliant files. + The main focus of this release has been security and code cleanliness. Hence many AddressSanitizer, Valgrind and Coverity issues have been addressed. + The usual round of bug fixes, compatibility changes, and incremental improvements. . * Update copyright info: + Update paths of files to strip from upstream source. + Stop strip ConvertUTF files when repackaging upstream source: No longer included upstream. * Update watch file: Use substitution strings. * Update package relations: + Relax to build-depend unversioned on liblcms2-dev d-shlibs cdbs: Needed versions satisfied even in oldstable * Tighten lintian overrides regarding License-Reference. * Use https protocol for upstream Homepage. * Declare compliance with Debian Policy 4.1.0. * Drop patches applied upstream. * Unfuzz patches. ghostscript (9.21~dfsg-1) unstable; urgency=medium . [ upstream ] * New release. Highlights: + pdfwrite preserves annotations from input PDFs where possible. + GhostXPS pass required data to pdfwrite to emit a ToUnicode CMap, resulting in fully searchable PDFs created from XPS in most cases. + Allow default color space for PDF transparency blends. + Improved support for cross-compiling in configure script. + tiffscaled and tiffscaled4 supports ETS (Even Tone Screening). + toolbin/pdf_info.ps utility emits PDF XML metadata. + New scan converter, more performant with large and complex paths. . [ Jonas Smedegaard ] * Modernize cdbs: + Do copyright-check in maintainer script (not during build). * Avoid compressing pdf documentation. * Revive git-ignore file, lost importing NMUs. * Update watch file: Fix track releases (not tags). * Update copyright info: + Fix update main Files section to include all directory wildcards declared in root LICENSE file. + Stop track files no longer shipped upstream. + Add copyright holder Raph Levien. + Extend coverage for main upstream author. + Use https protocol in format string. * Update patches: + Drop patches applied upstream. + Normalize patch names. + Tidy DEP3 patch headers. + Add patch cherry-picked upstream to fix the shared openjpeg build. + Add patch cherry-picked upstream to fix shared lib build with openjpeg >= 2.1.1, replacing patch 1001. * Update package relations: + Relax build-dependency on cdbs. + Stop build-depend on licensecheck libregexp-assemble-perl libimage-exiftool-perl libfont-ttf-perl. * Relax symbols check when targeting experimental. * Update symbols: 16 dropped. 37 added. * Declare compliance with Debian Policy 4.0.0. ghostscript (9.21~dfsg-1~exp1) experimental; urgency=medium . [ upstream ] * New release. Highlights: + pdfwrite preserves annotations from input PDFs where possible. + GhostXPS pass required data to pdfwrite to emit a ToUnicode CMap, resulting in fully searchable PDFs created from XPS in most cases. + Allow default color space for PDF transparency blends. + Improved support for cross-compiling in configure script. + tiffscaled and tiffscaled4 supports ETS (Even Tone Screening). + toolbin/pdf_info.ps utility emits PDF XML metadata. + New scan converter, more performant with large and complex paths. . [ Jonas Smedegaard ] * Modernize cdbs: + Do copyright-check in maintainer script (not during build). * Avoid compressing pdf documentation. * Revive git-ignore file, lost importing NMUs. * Update watch file: Fix track releases (not tags). * Update copyright info: + Stop track files no longer shipped upstream. + Add copyright holder Raph Levien. + Extend coverage for main upstream author. * Update patches: + Drop patches applied upstream. + Normalize patch names. + Tidy DEP3 patch headers. + Add patch cherry-picked upstream to fix the shared openjpeg build. + Add patch cherry-picked upstream to fix shared lib build with openjpeg >= 2.1.1, replacing patch 1001. * Update package relations: + Relax build-dependency on cdbs. + Stop build-depend on licensecheck libregexp-assemble-perl libimage-exiftool-perl libfont-ttf-perl. * Relax symbols check when targeting experimental. glibc (2.24-11+deb9u4) stretch; urgency=medium . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. - Fix a buffer overflow in glob with GLOB_TILDE in unescaping (CVE-2017-15804). Closes: #879955. - Fix a memory leak in ld.so (CVE-2017-1000408). Closes: #884132. - Fix a buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133. - Fixes incorrect RPATH/RUNPATH handling for SUID binaries (CVE-2017-16997). Closes: #884615. - Fix a data corruption in SSE2-optimized memmove implementation for i386 (CVE-2017-18269). - Fix a stack-based buffer overflow in the realpath function (CVE-2018-11236). Closes: #899071. - Fix a buffer overflow in the AVX-512-optimized implementation of the mempcpy function (CVE-2018-11237). Closes: #899070. - Fix stack guard size accounting and reduce stack usage during unwinding to avoid segmentation faults on CPUs with AVX512-F. Closes: #903554. - Fix a use after free in pthread_create(). Closes: #916925. * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: check for postgresql in NSS check. Closes: #710275. . [ Sebastian Andrzej Siewior ] * patches/any/local-condvar-do-not-use-requeue-for-pshared-condvars.patch: patch to fix pthread_cond_wait() in the pshared case on non-x86. Closes: #904158. glx-alternatives (0.8.8~deb9u2) stretch; urgency=medium . * Revert dpkg-trigger changes from 0.8.8 as it may cause an exception thrown in apt. (Closes: #922210) glx-alternatives (0.8.8~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . glx-alternatives (0.8.8) unstable; urgency=medium . * glx-diversions: Put all packages that had shared libraries diverted into triggers-awaited state to ensure the triggers in glx-alternative-mesa setting up the glx alternative get processed earlier. (Closes: #905908) * Bump Standards-Version to 4.2.1. No changes needed. . glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. . glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) . glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. . glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.8~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . glx-alternatives (0.8.8) unstable; urgency=medium . * glx-diversions: Put all packages that had shared libraries diverted into triggers-awaited state to ensure the triggers in glx-alternative-mesa setting up the glx alternative get processed earlier. (Closes: #905908) * Bump Standards-Version to 4.2.1. No changes needed. glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. glx-alternatives (0.8.7~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . glx-alternatives (0.8.7) unstable; urgency=medium . * Update validation of the diverted libGL.so symlink. . glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) . glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. . glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.6) unstable; urgency=medium . * glx-alternative-mesa: libGLX_mesa.so.0 is not diverted and therefore not an indicator to install the alternative. (Closes: #904486) glx-alternatives (0.8.5) unstable; urgency=medium . * Avoid confusing diagnostic message if no nvidia alternative is available. glx-alternatives (0.8.4) unstable; urgency=medium . * Add diversion and alternative for libGLX_indirect.so.0. * Bump Standards-Version to 4.1.5. No changes needed. glx-alternatives (0.8.3) unstable; urgency=medium . * Divert libGL.so.1.7.0, libGLESv1_CM.so.1.2.0, libGLESv2.so.2.1.0, libEGL.so.1.1.0 that will be used by the next libglvnd upstream release. * Update validation of the diverted libGL.so.1 symlink. (Closes: #879041) gnulib (20140202+stable-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757) gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium . * Avoid crash when importing without a TTY (Closes: #913614) graphite-api (1.1.3-2+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport spelling fix from 1.1.3-3. (Closes: #826020) . [ Vincent Bernat ] * d/service: fix RequiresMountsFor spelling. grokmirror (1.0.0-1.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . grokmirror (1.0.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Add the missing dependency on python-pkg-resources. (Closes: #888847) gvrng (4.4-3~deb9u1) stretch; urgency=medium . * QA upload. * Rebuild for stretch. . gvrng (4.4-3) unstable; urgency=high . * QA upload. * Fix the permissions problem that prevented starting gvrng. (Closes: #850516) * Tell dh_python2 where to find the files to generate dependencies. ibus (1.5.14-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Remove the dependency of the gir package against python, it breaks multiarch installation. (Closes: #889053) icecast2 (2.4.2-1+deb9u1) stretch-security; urgency=high . * d/p/CVE-2018-18820.patch: - Cherry-pick upstream commits fixing buffer overflow in URL authentication - Closes: #912611, CVE-2018-18820 icinga2 (2.6.0-2+deb9u1) stretch; urgency=medium . * [0eb3cad] Fix timestamps being stored as local time in PostgreSQL. intel-microcode (3.20180807a.2~deb9u1) stretch; urgency=medium . * Release managers: This update is being distributed by Debian in unstable, testing and jessie- and stretch-backports since 2018-10-30 without issues, and by most distros since 2018-08/2018-09, with no known reports of regressions on Westmere EP processors (Spectre mitigations are very expensive on Nehalem and Westmere, though). * SECURITY FIX: this update adds the accumulated fixes for Westmere EP (signature 0x206c2) from nearly a decade, including but likely not limited to: + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 + Very likely implements LAPIC sinkhole fix + Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging may cause system crash * This Westmere EP microcode update has been explicitly approved by Intel for general distribution by operating systems, refer to the changelog entry for 3.20180807a.2 below . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports (no changes) . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.2~bpo8+1) jessie-backports-sloppy; urgency=medium . * Rebuild for jessie-backports-sloppy (no changes) . intel-microcode (3.20180807a.2) unstable; urgency=medium . * Makefile: unblacklist 0x206c2 (Westmere EP) According to pragyansri.pathi@intel.com, on message to LP#1795594 on 2018-10-09, we can ship 0x206c2 updates without restrictions. Also, there are no reports in the field about this update causing issues (closes: #907402) (LP: #1795594) intel-microcode (3.20180807a.1) unstable; urgency=high . [ Henrique de Moraes Holschuh ] * New upstream microcode datafile 20180807a (closes: #906158, #906160, #903135, #903141) + New Microcodes: sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264 sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216 sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360 sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336 sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240 + Updated Microcodes: sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288 sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216 sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216 sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096 sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288 sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336 sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432 sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528 sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600 sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312 sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328 sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744 sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528 sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528 sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384 sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328 sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304 + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation for older processors with signatures 0x106a5, 0x106e5, 0x20652, 0x20655. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 * source: update symlinks to reflect id of the latest release, 20180807a * debian/intel-microcode.docs: ship license and releasenote upstream files. * debian/changelog: update entry for 3.20180703.1 with L1TF information . [ Julian Andres Klode ] * initramfs: include all microcode for MODULES=most. Default to early instead of auto, and install all of the microcode, not just the one matching the current CPU, if MODULES=most is set in the initramfs-tools config (LP: #1778738) isort (4.2.5+ds1-2+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Add missing dependency on python3-pkg-resources. Thanks to Andreas Beckmann for reporting the issue. (Closes: #902327) * Fix dependencies of the python2 package by using the correct ${python:Depends} substvar instead of ${python3:Depends}. Thanks to Paul Wise for catching it. (Closes: #884682) jdupes (1.7-2+deb9u1) stretch; urgency=medium . * debian/patches/20_fix-crash-arm.patch: add to fix a potential crash in ARM. Thanks to Jody Bruchon . (Closes: #914078) kmodpy (0.1.10-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . kmodpy (0.1.10-2.1) unstable; urgency=high . * Non-maintainer upload. * Remove the incorrect Multi-Arch: same. (Closes: #897223) libapache-mod-jk (1:1.2.46-0+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * New upstream version 1.2.46 + CVE-2018-11759: fix information disclosure and privilege escalation libapache-mod-jk (1:1.2.44-3) unstable; urgency=medium . * Remove conf/httpd-jk.conf from debian/clean to fix a FTBFS when building binary-arch target. libapache-mod-jk (1:1.2.44-2) unstable; urgency=medium . * Fix broken httpd-jk symlink. Thanks to Andreas Beckmann for the report. (Closes: #910160) libapache-mod-jk (1:1.2.44-1) unstable; urgency=medium . * New upstream version 1.2.44. * Declare compliance with Debian Policy 4.2.1. * Remove Damien Raude-Morvan from Uploaders. Add myself to Uploaders. (Closes: #889461) * Suggest alternative tomcat9 package. * Drop obsolete libapache2-mod-jk.NEWS. * Install new httpd-jk.conf file which follows Apache 2.4 syntax. (Closes: #786635) libapache-mod-jk (1:1.2.43-1) unstable; urgency=medium . * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 libapache2-mod-perl2 (2.0.10-2+deb9u1) stretch; urgency=medium . * [SECURITY] CVE-2011-2767: don't allow sections in user controlled configuration (Closes: #644169) libarchive (3.2.2-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload. * Fix the following security vulnerabilities: CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503, CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879 and CVE-2018-1000880. Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences, use-after-frees and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files. (Closes: #859456, #861609, #874539, #875966, #875974, #875960, #916964, #916963, #916960) libb2 (0.97-2+deb9u1) stretch; urgency=medium . * debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch: detect if the system can use AVX before actually using it (Closes: #884958) libdatetime-timezone-perl (1:2.09-1+2018i) stretch; urgency=medium . * Update to Olson database version 2018i. This update contains contemporary changes for São Tomé and Príncipe. libdatetime-timezone-perl (1:2.09-1+2018h) stretch; urgency=medium . * Update to Olson database version 2018h. This update contains contemporary changes for Kazakhstan, Alaska, Morocco, and Iran. libemail-address-list-perl (0.05-1+deb9u1) stretch; urgency=medium . * [SECURITY] Fix DoS vulnerability CVE-2018-18898 libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium . * Team upload. * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558 libextractor (1:1.3-4+deb9u3) stretch-security; urgency=high . * Fix out-of-bounds read vulnerability in common/convert.c (Closes: #917214, CVE-2018-20430). * Fix NULL pointer dereference in OLE2 extractor (Closes: #917213, CVE-2018-20431). libgd2 (2.2.4-2+deb9u4) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer overflow in gdImageColorMatch (CVE-2019-6977) (Closes: #920645) * Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728) libgpod (0.8.3-8.2+deb9u1) stretch; urgency=high . * QA upload. * debian/control: Replace defunct Vcs-* fields with correct ones. * python-gpod: Add missing dependency on python-gobject-2. (Closes: #896230) liblivemedia (2016.11.28-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-4013: stack-based buffer overflow in the HTTP packet-parsing functionality, potentially resulting in code execution. libphp-phpmailer (5.2.14+dfsg-2.3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * object injection vulnerability (CVE-2018-19296) (Closes: #913912) libreoffice (1:5.2.7-1+deb9u5) stretch-security; urgency=high . * debian/patches/disableClassPathURLCheck.diff: add workaround to fix build with openjdks with S8195874 included - add -Djdk.net.URLClassPath.disableClassPathURLCheck=true to JAVAIFLAGS; see https://gerrit.libreoffice.org/#/c/63118/2 . * debian/patches/keep-pyuno-script-processing-below-base-uri.diff: as name says (CVE-2018-16858) * debian/patches/show-partial-signatures-even-if-cert-validation-fails.diff: as name says (CERT-Bund#2018100828000257), but backport the non-UI parts only - the "signing already existing PDFs" feature doesn't exist here yet libssh (0.7.3-2+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Fix broken server-side keyboard-interactive authentication. Thanks to Martin Pitt (Closes: #913870) libvncserver (0.9.11+dfsg-1.3~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security. libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high . * Non-maintainer upload. * Fix multiple security vulnerabilities (Closes: #916941) - Use-after-free in file transfer extension allows for potential code execution (CVE-2018-15126) - Heap out-of-bounds write in rfbserver.c:rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - Multiple heap out-of-bound writes in VNC client code (CVE-2018-20019) - Heap out-of-bound write inside structure in VNC client code allows for potential code execution (CVE-2018-20020) - Infinite loop in VNC client code allows for denial of service (CVE-2018-20021) - Improper initialization in VNC client code allows for information disclosure (CVE-2018-20022) - Improper initialization in VNC Repeater client code allows for information disclosure (CVE-2018-20023) - NULL pointer dereference in VNC client code allows for denial of service (CVE-2018-20024) - Use-after-free in file transfer extension server code allows for potential code execution (CVE-2018-6307) * Update symbols file for libvncserver1. The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) linux (4.9.144-3) stretch; urgency=medium . * libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature() (regression in 4.9.144) linux (4.9.144-2) stretch; urgency=medium . * [mips*] inst: Avoid ABI change in 4.9.136 (fixes FTBFS) * efi/libstub: Unify command line param parsing (fixes FTBFS on arm64) linux (4.9.144-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.136 - xfrm: Validate address prefix lengths in the xfrm selector. - xfrm6: call kfree_skb when skb is toobig - mac80211: Always report TX status - cfg80211: reg: Init wiphy_idx in regulatory_hint_core() - mac80211: fix pending queue hang due to TX_DROP - cfg80211: Address some corner cases in scan result channel updating - mac80211: TDLS: fix skb queue/priority assignment - [armel,armhf] 8799/1: mm: fix pci_ioremap_io() offset check - xfrm: validate template mode - nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT - mac80211_hwsim: do not omit multicast announce of first added radio - Bluetooth: SMP: fix crash in unpairing - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor - qed: Avoid constant logical operation warning in qed_vf_pf_acquire - asix: Check for supported Wake-on-LAN modes - ax88179_178a: Check for supported Wake-on-LAN modes - lan78xx: Check for supported Wake-on-LAN modes - sr9800: Check for supported Wake-on-LAN modes - r8152: Check for supported Wake-on-LAN Modes - smsc75xx: Check for Wake-on-LAN modes - smsc95xx: Check for Wake-on-LAN modes - perf/ring_buffer: Prevent concurent ring buffer access - [x86] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX - [armhf] net: fec: fix rare tx timeout - net: cxgb3_main: fix a missing-check bug - perf symbols: Fix memory corruption because of zero length symbols - mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() - [mips*] microMIPS: Fix decoding of swsp16 instruction - [mips*] Handle non word sized instructions when examining frame - scsi: aacraid: Fix typo in blink status - f2fs: fix multiple f2fs_add_link() having same name for inline dentry - igb: Remove superfluous reset to PHY and page 0 selection - ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs - PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode - [arm64,armhf] i2c: bcm2835: Avoid possible NULL ptr dereference - efi/fb: Correct PCI_STD_RESOURCE_END usage - ipv6: set rt6i_protocol properly in the route when it is installed - [x86] platform: acer-wmi: setup accelerometer when ACPI device was found - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist - IB/core: Fix the validations of a multicast LID in attach or detach operations - rxe: Fix a sleep-in-atomic bug in post_one_send - nvme-pci: fix CMB sysfs file removal in reset path - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. - net/mlx5: Fix command completion after timeout access invalid structure - tipc: Fix tipc_sk_reinit handling of -EAGAIN - tipc: fix a race condition of releasing subscriber object - bnxt_en: Don't use rtnl lock to protect link change logic in workqueue. - [armhf] dts: bcm283x: Reserve first page for firmware - btrfs: fiemap: Cache and merge fiemap extent before submit it to user - [arm64] reset: hi6220: Set module license so that it can be loaded - [x86] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest - mac80211: fix TX aggregation start/stop callback race - libata: fix error checking in in ata_parse_force_one() - [armhf] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization - [i386] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC - [armhf] gpu: ipu-v3: Fix CSI selection for VDIC - [arm64,armhf] net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value - Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io - ufs: we need to sync inode before freeing it - net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare - ip6_tunnel: Correct tos value in collect_md mode - net/mlx5: Fix driver load error flow when firmware is stuck - perf evsel: Fix probing of precise_ip level for default cycles event - perf probe: Fix probe definition for inlined functions - net/mlx5: Fix health work queue spin lock to IRQ safe - [armhf] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq - [armhf] clk: samsung: Fix m2m scaler clock on Exynos542x - rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp - qed: Warn PTT usage by wrong hw-function - ocfs2: fix deadlock caused by recursive locking in xattr - net: cdc_ncm: GetNtbFormat endian fix - sctp: use right member as the param of list_for_each_entry - ALSA: hda - No loopback on ALC299 codec - ath10k: convert warning about non-existent OTP board id to debug message - ipv6: fix cleanup ordering for ip6_mr failure - IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush - IB/rxe: put the pool on allocation failure - nbd: only set MSG_MORE when we have more to send - mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' - IB/mlx5: Avoid passing an invalid QP type to firmware - scsi: qla2xxx: Avoid double completion of abort command - drm: bochs: Don't remove uninitialized fbdev framebuffer - i40e: avoid NVM acquire deadlock during NVM update - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" - Btrfs: incremental send, fix invalid memory access - [arm64] drm/msm: Fix possible null dereference on failure of get_pages() - l2tp: remove configurable payload offset - macsec: fix memory leaks when skb_to_sgvec fails - perf/core: Fix locking for children siblings group read - cifs: Use ULL suffix for 64-bit constant - futex: futex_wake_op, do not fail on invalid op - ALSA: hda - Fix incorrect usage of IS_REACHABLE() - enic: do not overwrite error code - bonding: ratelimit failed speed/duplex update warning - nvmet: fix space padding in serial number - iio: buffer: fix the function signature to match implementation - [x86] paravirt: Fix some warning messages - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' - libertas: call into generic suspend code before turning off power - xhci: Fix USB3 NULL pointer dereference at logical disconnect. - [armhf] dts: imx53-qsb: disable 1.2GHz OPP - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() - rxrpc: Only take the rwind and mtu values from latest ACK - [x86] net: ena: fix NULL dereference due to untimely napi initialization - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() - mtd: spi-nor: Add support for is25wp series chips - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" - bridge: do not add port to router list when receives query with source 0.0.0.0 - net: bridge: remove ipv6 zero address check in mcast queries - ipv6: mcast: fix a use-after-free in inet6_mc_check - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called - llc: set SOCK_RCU_FREE in llc_sap_add_socket() - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs - net: sched: gred: pass the right attribute to gred_change_table_def() - net: socket: fix a missing-check bug - [arm64,armhf] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules - net: udp: fix handling of CHECKSUM_COMPLETE packets - r8169: fix NAPI handling under high load - sctp: fix race on sctp_id2asoc - vhost: Fix Spectre V1 vulnerability - ethtool: fix a privilege escalation bug - bonding: fix length of actor system - net: drop skb on failure in ip_check_defrag() - net: fix pskb_trim_rcsum_slow() with odd trim offset - rtnetlink: Disallow FDB configuration for non-Ethernet device - ip6_tunnel: Fix encapsulation layout - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned - ahci: don't ignore result code of ahci_reset_controller() - xfs: truncate transaction does not modify the inobt - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) - ptp: fix Spectre v1 vulnerability - drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl - RDMA/ucma: Fix Spectre v1 vulnerability - IB/ucm: Fix Spectre v1 vulnerability - cdc-acm: correct counting of UART states in serial state notification - usb: gadget: storage: Fix Spectre v1 vulnerability - USB: fix the usbfs flag sanitization for control transfers - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM - sched/fair: Fix throttle_list starvation with low CFS quota - [x86] percpu: Fix this_cpu_read() - [x86] time: Correct the attribute on jiffies' definition - posix-timers: Sanitize overrun handling (CVE-2018-12896) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.137 - bcache: fix miss key refill->end in writeback - jffs2: free jffs2_sb_info through jffs2_kill_sb() - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges - [arm64] ipmi: Fix timer race with module unload - [hppa/parisc] Fix address in HPMC IVA - [hppa/parisc] Fix map_pages() to not overwrite existing pte entries - ALSA: hda - Add quirk for ASUS G751 laptop - ALSA: hda - Fix headphone pin config for ASUS G751 - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops - [x86] speculation: Enable cross-hyperthread spectre v2 STIBP mitigation - [x86] corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided - [x86] speculation: Support Enhanced IBRS on future CPUs - Revert "perf tools: Fix PMU term format max value calculation" - xfrm: policy: use hlist rcu variants on insert - sched/fair: Fix the min_vruntime update logic in dequeue_entity() - perf cpu_map: Align cpu map synthesized events properly. - [x86] fpu: Remove second definition of fpu in __fpu__restore_sig() - net: qla3xxx: Remove overflowing shift statement - locking/lockdep: Fix debug_locks off performance problem - tun: Consistently configure generic netdev params via rtnetlink - [s390x] sthyi: Fix machine name validity indication - [armhf] hwmon: (pwm-fan) Set fan speed to 0 on suspend - perf tools: Free temporary 'sys' string in read_event_files() - perf tools: Cleanup trace-event-info 'tdata' leak - perf strbuf: Match va_{add,copy} with va_end - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 - iwlwifi: pcie: avoid empty free RB queue - [i386] x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC - [arm64,armhf] cpufreq: dt: Try freeing static OPPs only if we have added them - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth - [arm64] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux - brcmfmac: fix for proper support of 160MHz bandwidth - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers - [arm64] pinctrl: qcom: spmi-mpp: Fix drive strength setting - [arm64] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant - [arm64] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant - ixgbevf: VF2VF TCP RSS - ath10k: schedule hardware restart if WMI command times out - cgroup, netclassid: add a preemption point to write_classid - scsi: esp_scsi: Track residual for PIO transfers - scsi: megaraid_sas: fix a missing-check bug - RDMA/core: Do not expose unsupported counters - IB/ipoib: Clear IPCB before icmp_send - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated - [x86] VMCI: Resource wildcard match fixed - ext4: fix argument checking in EXT4_IOC_MOVE_EXT - MD: fix invalid stored role for a disk - PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice - [arm64,armhf] usb: chipidea: Prevent unbalanced IRQ disable - [amd64] driver/dma/ioat: Call del_timer_sync() without holding prep_lock - uio: ensure class is registered before devices - scsi: lpfc: Correct soft lockup when running mds diagnostics - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init - ALSA: hda: Check the non-cached stream buffers more explicitly - [armhf] dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes - [armhf] dts: exynos: Add missing cooling device properties for CPUs - [armhf] dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings - [armhf] dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250 - xen-swiotlb: use actually allocated size on check physical continuous - [x86] tpm: Restore functionality to xen vtpm driver. - xen/blkfront: avoid NULL blkfront_info dereference on device removal - [x86] xen: fix race in xen_qlock_wait() - [x86] xen: make xen_qlock_wait() nestable - libertas: don't set URB_ZERO_PACKET on IN USB transfer - [x86] usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten - iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() - [x86] libnvdimm: Hold reference on parent while scheduling async init - [x86] ASoC: intel: skylake: Add missing break in skl_tplg_get_token() - jbd2: fix use after free in jbd2_log_do_checkpoint() - gfs2_meta: ->mount() can get NULL dev_name - ext4: initialize retries variable in ext4_da_write_inline_data_begin() - ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR - HID: hiddev: fix potential Spectre v1 - EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting - [amd64] EDAC, skx_edac: Fix logical channel intermediate decoding - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk - [ppc64el] signal/GenWQE: Fix sending of SIGKILL - crypto: lrw - Fix out-of bounds access on counter overflow - crypto: tcrypt - fix ghash-generic speed test - ima: fix showing large 'violations' or 'runtime_measurements_count' - hugetlbfs: dirty pages as they are added to pagecache - [armhf] w1: omap-hdq: fix missing bus unregister at removal - smb3: allow stats which track session and share reconnects to be reset - smb3: do not attempt cifs operation in smb3 query info error path - smb3: on kerberos mount if server doesn't specify auth type use krb5 - printk: Fix panic caused by passing log_buf_len to command line - genirq: Fix race on spurious interrupt detection - NFSv4.1: Fix the r/wsize checking - nfsd: Fix an Oops in free_session() - lockd: fix access beyond unterminated strings in prints - dm ioctl: harden copy_params()'s copy_from_user() from malicious users - [powerpc*] msi: Fix compile error on mpc83xx - [mips*] OCTEON: fix out of bounds array access on CN68XX - media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD - [x86] xen: fix xen_qlock_wait() - media: em28xx: use a default format if TRY_FMT fails - media: tvp5150: avoid going past array on v4l2_querymenu() - media: em28xx: fix input name for Terratec AV 350 - media: em28xx: make v4l2-compliance happier by starting sequence on zero - [arm64] lse: remove -fcall-used-x0 flag - rpmsg: smd: fix memory leak on channel create - Cramfs: fix abad comparison when wrap-arounds occur - [arm64,armhf] soc/tegra: pmc: Fix child-node lookup - btrfs: Handle owner mismatch gracefully when walking up tree - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock - btrfs: fix error handling in free_log_tree - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list - btrfs: don't attempt to trim devices that don't support it - btrfs: wait on caching when putting the bg cache - btrfs: reset max_extent_size on clear in a bitmap - btrfs: make sure we create all new block groups - Btrfs: fix wrong dentries after fsync of file that got its parent replaced - btrfs: qgroup: Dirty all qgroups before rescan - Btrfs: fix null pointer dereference on compressed write path error - btrfs: set max_extent_size properly - MD: fix invalid stored role for a disk - try2 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138 - [powerpc*] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() - tty: check name length in tty_find_polling_driver() - [powerpc*] nohash: fix undefined behaviour when testing page size support - [armhf] drm/omap: fix memory barrier bug in DMM driver - media: pci: cx23885: handle adding to list failure - [mips*] kexec: Mark CPU offline before disabling local IRQ - [powerpc*] boot: Ensure _zimage_start is a weak symbol - [mips*] PCI: Call pcie_bus_configure_settings() to set MPS/MRRS - media: tvp5150: fix width alignment during set_selection() - 9p locks: fix glock.client_id leak in do_lock - 9p: clear dangling pointers in p9stat_free - cdrom: fix improper type cast, which can leat to information leak. (CVE-2018-18710) - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters - scsi: qla2xxx: shutdown chip if reset fail - fuse: Fix use-after-free in fuse_dev_do_read() - fuse: Fix use-after-free in fuse_dev_do_write() - fuse: fix blocked_waitq wakeup - fuse: set FR_SENT while locked - mm: do not bug_on on incorrect length in __mm_populate() - e1000: avoid null pointer dereference on invalid stat type - e1000: fix race condition between e1000_down() and e1000_watchdog - bna: ethtool: Avoid reading past end of buffer - [hppa/parisc] Align os_hpmc_size on word boundary - [hppa/parisc] Fix HPMC handler by increasing size to multiple of 16 bytes - [hppa/parisc] Fix exported address of os_hpmc handler - [mips64el,mipsel] Loongson-3: Fix CPU UART irq delivery problem - [mips64le,mipsel] Loongson-3: Fix BRIDGE irq delivery problem - [armhf] clk: s2mps11: Fix matching when built as module and DT node contains compatible - [armhf] clk: rockchip: Fix static checker warning in rockchip_ddrclk_get_parent call - libceph: bump CEPH_MSG_MAX_DATA_LEN - Revert "ceph: fix dentry leak in splice_dentry()" - mach64: fix display corruption on big endian machines - mach64: fix image corruption due to reading accelerator registers - [arm64] reset: hisilicon: fix potential NULL pointer dereference - vhost/scsi: truncate T10 PI iov_iter to prot_bytes - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings - netfilter: conntrack: fix calculation of next bucket number in early_drop - termios, tty/tty_baudrate.c: fix buffer overrun - Btrfs: fix cur_offset in the error case for nocow - Btrfs: fix data corruption due to cloning of eof block - clockevents/drivers/i8253: Add support for PIT shutdown quirk - ext4: add missing brelse() update_backups()'s error path - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path - ext4: avoid potential extra brelse in setup_new_flex_group_blocks() - ext4: fix possible inode leak in the retry loop of ext4_resize_fs() - ext4: avoid buffer leak in ext4_orphan_add() after prior errors - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing - ext4: avoid possible double brelse() in add_new_gdb() on error path - ext4: fix possible leak of sbi->s_group_desc_leak in error path - ext4: fix possible leak of s_journal_flag_rwsem in error path - ext4: release bs.bh before re-using in ext4_xattr_block_find() - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path - ext4: fix buffer leak in __ext4_read_dirblock() on error path - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts - mount: Prevent MNT_DETACH from disconnecting locked mounts - sunrpc: correct the computation for page_ptr when truncating - nfsd: COPY and CLONE operations require the saved filehandle to be set - rtc: hctosys: Add missing range error reporting - fuse: fix use-after-free in fuse_direct_IO() - fuse: fix leaked notify reply - configfs: replace strncpy with memcpy - lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! - mm: migration: fix migration of huge PMD shared pages - [armhf] drm/rockchip: Allow driver to be shutdown on reboot/kexec - drm/dp_mst: Check if primary mstb is null - [x86] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values - [x86] drm/i915/execlists: Force write serialisation into context image vs execution - [arm64] KVM: Fix caching of host MDCR_EL2 value https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.139 - flow_dissector: do not dissect l4 ports for fragments - ip_tunnel: don't force DF when MTU is locked - net-gro: reset skb->pkt_type in napi_reuse_skb() - sctp: not allow to set asoc prsctp_enable by sockopt - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths - usbnet: smsc95xx: disable carrier check while suspending - inet: frags: better deal with smp races - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF - kbuild: Add better clang cross build support - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS - kbuild: Consolidate header generation from ASM offset information - kbuild: consolidate redundant sed script ASM offset generation - kbuild: fix asm-offset generation to work with clang - kbuild: drop -Wno-unknown-warning-option from clang options - kbuild, LLVMLinux: Add -Werror to cc-option to support clang - kbuild: use -Oz instead of -Os when using clang - kbuild: Add support to generate LLVM assembly files - modules: mark __inittest/__exittest as __maybe_unused - [x86] kbuild: Use cc-option to enable -falign-{jumps/loops} - [amd64] crypto, x86: aesni - fix token pasting for clang - kbuild: Add __cc-option macro - [x86] build: Use __cc-option for boot code compiler options - [x86] build: Specify stack alignment for clang - kbuild: clang: Disable 'address-of-packed-member' warning - [arm64] crypto: arm64/sha - avoid non-standard inline asm tricks - [x86] boot: #undef memcpy() et al in string.c - [arm64] efi/libstub/arm64: Use hidden attribute for struct screen_info reference - [arm64] efi/libstub/arm64: Force 'hidden' visibility for section markers - efi/libstub: Preserve .debug sections after absolute relocation check - [arm64] efi/libstub/arm64: Set -fpie when building the EFI stub - [x86] build: Fix stack alignment for CLang - [x86] build: Use cc-option to validate stack alignment parameter - Kbuild: use -fshort-wchar globally - [arm64] uaccess: suppress spurious clang warning - [armel,armhf] add more CPU part numbers for Cortex and Brahma B15 CPUs - [armel,armhf] bugs: prepare processor bug infrastructure - [armel,armhf] bugs: hook processor bug checking into SMP and suspend paths - [armel,armhf] bugs: add support for per-processor bug checking - [armel,armhf] spectre: add Kconfig symbol for CPUs vulnerable to Spectre - [armel,armhf] spectre-v2: harden branch predictor on context switches - [armel,armhf] spectre-v2: add Cortex A8 and A15 validation of the IBE bit - [armel,armhf] spectre-v2: harden user aborts in kernel space - [armel,armhf] spectre-v2: add firmware based hardening - [armel,armhf] spectre-v2: warn about incorrect context switching functions - [armel,armhf] KVM: invalidate BTB on guest exit for Cortex-A12/A17 - [armel,armhf] KVM: invalidate icache on guest exit for Cortex-A15 - [armel,armhf] spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 - [armel,armhf] KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling - [armel,armhf] KVM: report support for SMCCC_ARCH_WORKAROUND_1 - [armel,armhf] spectre-v1: add speculation barrier (csdb) macros - [armel,armhf] spectre-v1: add array_index_mask_nospec() implementation - [armel,armhf] spectre-v1: fix syscall entry - [armel,armhf] signal: copy registers using __copy_from_user() - [armel,armhf] vfp: use __copy_from_user() when restoring VFP state - [armel,armhf] oabi-compat: copy semops using __copy_from_user() - [armel,armhf] use __inttype() in get_user() - [armel,armhf] spectre-v1: use get_user() for __get_user() - [armel,armhf] spectre-v1: mitigate user accesses https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.140 - Revert "x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation" - Revert "ipv6: set rt6i_protocol properly in the route when it is installed" https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.141 - cifs: don't dereference smb_file_target before null check - reiserfs: propagate errors from fill_with_dentries() properly - hfs: prevent btree data loss on root split - hfsplus: prevent btree data loss on root split - drm/edid: Add 6 bpc quirk for BOE panel. - clk: fixed-rate: fix of_node_get-put imbalance - fs/exofs: fix potential memory leak in mount option parsing - [armhf] clk: samsung: exynos5420: Enable PERIS clocks for suspend - [x86] platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 - [arm64] percpu: Initialize ret in the default case - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() - netfilter: xt_IDLETIMER: add sysfs filename checking routine - [s390x] qeth: fix HiperSockets sniffer - [ppc64el] hwmon: (ibmpowernv) Remove bogus __init annotations - clk: fixed-factor: fix of_node_get-put imbalance - qed: Fix memory/entry leak in qed_init_sp_request() - qed: Fix blocking/unlimited SPQ entries leak - zram: close udev startup race condition as default groups - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() - gfs2: Put bitmap buffers in put_super - btrfs: Enhance btrfs_trim_fs function to handle error better - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem - btrfs: fix pinned underflow after transaction aborted - Revert "media: videobuf2-core: don't call memop 'finish' when queueing" - Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" - media: v4l: event: Add subscription to list before calling "add" operation - uio: Fix an Oops on load - usb: cdc-acm: add entry for Hiro (Conexant) modem - USB: quirks: Add no-lpm quirk for Raydium touchscreens - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB - USB: misc: appledisplay: add 20" Apple Cinema Display - [x86] ACPI / platform: Add SMB0001 HID to forbidden_id_list - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges - libceph: fall back to sendmsg for slab pages https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.142 - usb: core: Fix hub port connection events lost - [arm64,armhf] usb: dwc3: core: Clean up ULPI device - usb: xhci: fix timeout for transition from RExit to U0 - MAINTAINERS: Add Sasha as a stable branch maintainer - gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path - iwlwifi: mvm: support sta_statistics() even on older firmware - iwlwifi: mvm: fix regulatory domain update when the firmware starts - brcmfmac: fix reporting support for 160 MHz channels - tools/power/cpupower: fix compilation with STATIC=true - v9fs_dir_readdir: fix double-free on p9stat_read error - selinux: Add __GFP_NOWARN to allocation at str_read() - bfs: add sanity check at bfs_fill_super() - sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd - llc: do not use sk_eat_skb() - mm: don't warn about large allocations for slab - drm/ast: change resolution may cause screen blurred - drm/ast: fixed cursor may disappear sometimes - drm/ast: Remove existing framebuffers before loading driver - can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length - can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds - can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb - IB/core: Fix for core panic - [amd64] IB/hfi1: Eliminate races in the SDMA send error path - usb: xhci: Prevent bus suspend if a port connect change or polling state is detected - [arm64] pinctrl: meson: fix pinconf bias disable - [armhf] cpufreq: imx6q: add return value check for voltage scale - floppy: fix race condition in __floppy_read_block_0() - [powerpc*] io: Fix the IO workarounds code to work with Radix - [x86] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs - SUNRPC: Fix a bogus get/put in generic_key_to_expire() - [powerpc*] numa: Suppress "VPHN is not supported" messages - [arm64,armhf] efi/arm: Revert deferred unmap of early memmap mapping - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset - of: add helper to lookup compatible child node - ath10k: fix kernel panic due to race in accessing arvif list - Input: xpad - add product ID for Xbox One S pad - Input: xpad - fix Xbox One rumble stopping after 2.5 secs - Input: xpad - correctly sort vendor id's - Input: xpad - move reporting xbox one home button to common function - Input: xpad - simplify error condition in init_output - Input: xpad - don't depend on endpoint order - Input: xpad - fix stuck mode button on Xbox One S pad - Input: xpad - restore LED state after device resume - Input: xpad - support some quirky Xbox One pads - Input: xpad - sort supported devices by USB ID - Input: xpad - sync supported devices with xboxdrv - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth - Input: xpad - sync supported devices with 360Controller - Input: xpad - sync supported devices with XBCD - Input: xpad - constify usb_device_id - Input: xpad - fix PowerA init quirk for some gamepad models - Input: xpad - validate USB endpoint type during probe - Input: xpad - add support for PDP Xbox One controllers - Input: xpad - add PDP device id 0x02a4 - Input: xpad - fix some coding style issues - Input: xpad - avoid using __set_bit() for capabilities - Input: xpad - add GPD Win 2 Controller USB IDs - Input: xpad - fix GPD Win 2 controller name - Input: xpad - add support for Xbox1 PDP Camo series gamepad - mwifiex: prevent register accesses after host is sleeping - mwifiex: report error to PCIe for suspend failure - mwifiex: Fix NULL pointer dereference in skb_dequeue() - mwifiex: fix p2p device doesn't find in scan problem - scsi: ufs: fix bugs related to null pointer access and array size - scsi: ufshcd: Fix race between clk scaling and ungate work - scsi: ufs: fix race between clock gating and devfreq scaling work - scsi: ufshcd: release resources if probe fails - tty: wipe buffer. - tty: wipe buffer if not echoing data - usb: xhci: fix uninitialized completion when USB3 port got wrong status - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used - namei: allow restricted O_CREAT of FIFOs and regular files - lan78xx: Read MAC address from DT if present - [s390x] mm: Check for valid vma before zapping in gmap_discard - net: ieee802154: 6lowpan: fix frag reassembly - Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC" - ima: always measure and audit files in policy - ima: re-introduce own integrity cache lock - ima: re-initialize iint->atomic_flags https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.143 - mm/huge_memory: rename freeze_page() to unmap_page() - mm/huge_memory.c: reorder operations in __split_huge_page_tail() - mm/huge_memory: splitting set mapping+index before unfreeze - mm/huge_memory: fix lockdep complaint on 32-bit i_size_read() - mm/khugepaged: collapse_shmem() stop if punched or truncated - shmem: shmem_charge: verify max_block is not exceeded before inode update - shmem: introduce shmem_inode_acct_block - mm/khugepaged: fix crashes due to misaccounted holes - mm/khugepaged: collapse_shmem() remember to clear holes - mm/khugepaged: minor reorderings in collapse_shmem() - mm/khugepaged: collapse_shmem() without freezing new_page - mm/khugepaged: collapse_shmem() do not crash on Compound - media: em28xx: Fix use-after-free when disconnecting - [arm64,armhf] Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" - net: skb_scrub_packet(): Scrub offload_fwd_mark - [s390x] qeth: fix length check in SNMP processing - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 - [x86] kvm: mmu: Fix race in emulated page table writes - [x86] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb - [x86] KVM: Fix scan ioapic use-before-initialization (CVE-2018-19407) - Btrfs: ensure path name is null terminated at btrfs_control_ioctl - [x86] perf/x86/intel: Move branch tracing setup to the Intel-specific source file - [x86] perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() - fs: fix lost error code in dio_complete - [i386] ALSA: wss: Fix invalid snd_free_pages() at error path - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write - ALSA: control: Fix race between adding and removing a user element - [sparc] ALSA: sparc: Fix invalid snd_free_pages() at error path - ext2: fix potential use after free - btrfs: release metadata before running delayed refs - USB: usb-storage: Add new IDs to ums-realtek - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series - Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" - mm: use swp_offset as key in shmem_replace_page() - [x86] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() - [amd64] misc: mic/scif: fix copy-paste error in scif_create_remote_lookup - [armhf] bus: arm-cci: remove unnecessary unreachable() - [armhf] trusted_foundations: do not use naked function - [x86] efi/libstub: Make file I/O chunking x86-specific https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.144 - kernfs: Replace strncpy with memcpy - ip_tunnel: Fix name string concatenate in __ip_tunnel_create() - scsi: bfa: convert to strlcpy/strlcat - [x86] staging: rts5208: fix gcc-8 logic error warning - [amd64] x86/power/64: Use char arrays for asm function names - iser: set sector for ambiguous mr status errors - uprobes: Fix handle_swbp() vs. unregister() + register() race once more - [mips*] fix mips_get_syscall_arg o32 check - IB/mlx5: Avoid load failure due to unknown link width - drm/ast: Fix incorrect free on ioregs - drm: set is_master to 0 upon drm_new_set_master() failure - scsi: scsi_devinfo: cleanly zero-pad devinfo strings - scsi: csiostor: Avoid content leaks and casts - [x86] svm: Add mutex_lock to protect apic_access_page_done on AMD systems - Input: xpad - quirk all PDP Xbox One gamepads - Input: elan_i2c - add ELAN0620 to the ACPI table - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR - Input: elan_i2c - add support for ELAN0621 touchpad - btrfs: Always try all copies when reading extent buffers - Btrfs: fix use-after-free when dumping free space - udf: Allow mounting volumes with incorrect identification strings - [arm64,armhf] reset: make optional functions really optional - [arm64,armhf] reset: core: fix reset_control_put - reset: fix optional reset_control_get stubs to return NULL - [arm64,armhf] reset: add exported __reset_control_get, return NULL if optional - [arm64,armhf] reset: make device_reset_optional() really optional - reset: remove remaining WARN_ON() in - mm: cleancache: fix corruption on missed inode invalidation (CVE-2018-16862) - net: qed: use correct strncpy() size - tipc: use destination length for copy string - libceph: drop len argument of *verify_authorizer_reply() - libceph: no need to drop con->mutex for ->get_authorizer() - libceph: store ceph_auth_handshake pointer in ceph_connection - libceph: factor out __prepare_write_connect() - libceph: factor out __ceph_x_decrypt() - libceph: factor out encrypt_authorizer() - libceph: add authorizer challenge (CVE-2018-1128) - libceph: implement CEPHX_V2 calculation mode (CVE-2018-1129) - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() - libceph: check authorizer reply/challenge length before reading - bpf: Prevent memory disambiguation attack (CVE-2018-3639) - wil6210: missing length check in wmi_set_ie (CVE-2018-5848) - btrfs: validate type when reading a chunk (CVE-2018-14611) - btrfs: Verify that every chunk has corresponding block group at mount time (CVE-2018-14612) - btrfs: Refactor check_leaf function for later expansion - btrfs: Check if item pointer overlaps with the item itself - btrfs: Add sanity check for EXTENT_DATA when reading out leaf - btrfs: Add checker for EXTENT_CSUM - btrfs: Move leaf and node validation checker to tree-checker.c - btrfs: struct-funcs, constify readers - btrfs: tree-checker: Enhance btrfs_check_node output - btrfs: tree-checker: Fix false panic for sanity test - btrfs: tree-checker: Add checker for dir item - btrfs: tree-checker: use %zu format string for size_t - btrfs: tree-check: reduce stack consumption in check_dir_item - btrfs: tree-checker: Verify block_group_item (CVE-2018-14613) - btrfs: tree-checker: Detect invalid and empty essential trees (CVE-2018-14612) - btrfs: Check that each block group has corresponding chunk at mount time (CVE-2018-14610) - btrfs: tree-checker: Check level for leaves and nodes - btrfs: tree-checker: Fix misleading group system information - f2fs: fix race condition in between free nid allocator/initializer (CVE-2017-18249) - f2fs: detect wrong layout - f2fs: return error during fill_super - f2fs: check blkaddr more accuratly before issue a bio - f2fs: sanity check on sit entry - f2fs: enhance sanity_check_raw_super() to avoid potential overflow - f2fs: clean up with is_valid_blkaddr() - f2fs: introduce and spread verify_blkaddr - f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100) - f2fs: fix to do sanity check with user_block_count (CVE-2018-13097) - f2fs: Add sanity_check_inode() function - f2fs: fix to do sanity check with node footer and iblocks (CVE-2018-13096) - f2fs: fix to do sanity check with block address in main area - f2fs: fix missing up_read - f2fs: fix to do sanity check with block address in main area v2 (CVE-2018-14616) - f2fs: free meta pages if sanity check for ckpt is failed - f2fs: fix to do sanity check with cp_pack_start_sum (CVE-2018-14614) - xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE (CVE-2018-18690) - hugetlbfs: fix bug in pgoff overflow checking . [ Ben Hutchings ] * drivers/net/ethernet: Ignore ABI changes (fixes FTBFS on arm64; Closes: #914556) * libcpupower: Hide private function and drop it from .symbols file * Revert "elevator: fix truncation of icq_cache_name" to avoid ABI change * reset: Avoid ABI changes in 4.9.144 * esp_scsi: Ignore ABI changes * snd-hda: Ignore ABI changes * posix-timers: Avoid ABI change in 4.9.136 * sched: Avoid ABI change in 4.9.136 * [armel,armhf] Avoid ABI change in 4.9.139 . [ Noah Meyerhans ] * [arm64] PCI: Enable HOTPLUG_PCI and HOTPLUG_PCI_ACPI (Closes: #915231) * drivers/net/ethernet/amazon: Backport ENA 2.0.2 network driver (Closes: #915229) . [ Salvatore Bonaccorso ] * [rt] Refresh 0159-genirq-Allow-disabling-of-softirq-processing-in-irq-.patch for context changes in 4.9.137 * Refresh mips-loongson-3-support-irq_set_affinity-in-i8259-ch.patch for context changes in 4.9.138 * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in 4.9.139 * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes in 4.9.139 * scripts/mod: Update modpost wrapper for 4.9.139. Upstream commit cf0c3e68aa81 "kbuild: fix asm-offset generation to work with clang" changed the macros used by devicetable-offsets.c. Copy the new sed code from upstream scripts/Makefile.lib. Originates from the same change for 4.12 done by Ben Hutchings. * Refresh media-v4l-avoid-abi-change-in-4.9.131.patch for context changes in 4.9.141 * Refresh fs-enable-link-security-restrictions-by-default.patch for context changes in 4.9.142 * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes in 4.9.142 . [ Michal Simek ] * [arm64] Enable Xilinx ZynqMP SoC and drivers linux (4.9.135-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.131 - crypto: skcipher - Fix -Wstringop-truncation warnings - tsl2550: fix lux1_input error in low light - [x86] vmci: type promotion bug in qp_host_get_user_memory() - [amd64] numa_emulation: Fix emulated-to-physical node mapping - [x86] staging: rts5208: fix missing error check on call to rtsx_write_register - uwb: hwa-rc: fix memory leak at probe - [arm64,armhf] power: vexpress: fix corruption in notifier registration - [amd64] iommu/amd: make sure TLB to be flushed before IOVA freed - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 - USB: serial: kobil_sct: fix modem-status error handling - 6lowpan: iphc: reset mac_header after decompress to fix panic - [s390x] mm: correct allocate_pgste proc_handler callback - power: remove possible deadlock when unregistering power_supply - IB/core: type promotion bug in rdma_rw_init_one_mr() - [powerpc*] kdump: Handle crashkernel memory reservation failure - [x86] tsc: Add missing header to tsc_msr.c - [armhf] hwmod: RTC: Don't assume lock/unlock will be called with irq enabled - [x86] entry/64: Add two more instruction suffixes - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size - scsi: klist: Make it safe to use klists in atomic context - [powerpc/powerpc64,ppc64*] scsi: ibmvscsi: Improve strings handling - usb: wusbcore: security: cast sizeof to int for comparison - [ppc64el] powerpc/powernv/ioda2: Reduce upper limit for DMA window size - alarmtimer: Prevent overflow for relative nanosleep (CVE-2018-13053) - [s390x] extmem: fix gcc 8 stringop-overflow warning - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data - drivers/tty: add error handling for pcmcia_loop_config - [x86] media: tm6000: add error handling for dvb_register_adapter - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() - [arm64,armhf] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c - HID: hid-ntrig: add error handling for sysfs_create_group - [x86] perf/x86/intel/lbr: Fix incomplete LBR call stack - scsi: bnx2i: add error handling for ioremap_nocache - scsi: megaraid_sas: Update controller info during resume - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs - nfsd: fix corrupted reply to badly ordered compound - EDAC: Fix memleak in module init error path - [armhf] dts: dra7: fix DCAN node addresses - [arm64] spi: tegra20-slink: explicitly enable/disable clock - [arm*] regulator: fix crash caused by null driver data - USB: fix error handling in usb_driver_claim_interface() - USB: handle NULL config in usb_find_alt_setting() - slub: make ->cpu_partial unsigned int - media: uvcvideo: Support realtek's UVC 1.5 device - USB: usbdevfs: sanitize flags more - USB: usbdevfs: restore warning for nonsensical flags - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()" - USB: remove LPM management from usb_driver_claim_interface() - Input: elantech - enable middle button of touchpad on ThinkPad P72 - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop - [amd64] IB/hfi1: Invalid user input can result in crash - [amd64] IB/hfi1: Fix context recovery when PBC has an UnsupportedVL - scsi: target: iscsi: Use bin2hex instead of a re-implementation - [armhf] serial: imx: restore handshaking irq for imx1 - [amd64] IB/hfi1: Fix SL array bounds check - qed: Wait for ready indication before rereading the shmem - qed: Wait for MCP halt and resume commands to take place - [arm*] thermal: of-thermal: disable passive polling when thermal zone is disabled - [arm64] net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES - [arm64] net: hns: fix skb->truesize underestimation - e1000: check on netif_running() before calling e1000_up() - e1000: ensure to free old tx/rx rings in set_ringparam() - hwmon: (adt7475) Make adt7475_read_word() return errors - [x86] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode - [arm*] smccc-1.1: Make return values unsigned long - [arm*] smccc-1.1: Handle function result as parameters - [x86] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus - media: v4l: event: Prevent freeing event subscriptions while accessed https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.132 - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace - time: Introduce jiffies64_to_nsecs() - mac80211: Run TXQ teardown code before de-registering interfaces - [ppc64el] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X - mac80211: mesh: fix HWMP sequence numbering to follow standard - [arm64] net: hns: add netif_carrier_off before change speed and duplex - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE - gpio: Fix crash due to registration race - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() - mac80211: fix a race between restart and CSA flows - mac80211: Fix station bandwidth setting after channel switch - mac80211: don't Tx a deauth frame if the AP forbade Tx - mac80211: shorten the IBSS debug messages - mm: madvise(MADV_DODUMP): allow hugetlbfs pages - HID: add support for Apple Magic Keyboards - HID: hid-saitek: Add device ID for RAT 7 Contagion - perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() - [ppc64el] perf probe powerpc: Ignore SyS symbols irrespective of endianness - RDMA/ucma: check fd type in ucma_migrate_id() - USB: yurex: Check for truncation in yurex_read() - nvmet-rdma: fix possible bogus dereference under heavy load - net/mlx5: Consider PCI domain in search for next dev - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS - dm raid: fix rebuild of specific devices by updating superblock - fs/cifs: suppress a string overflow warning - [x86] net: ena: fix driver when PAGE_SIZE == 64kB - [x86] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs - dm thin metadata: try to avoid ever aborting transactions - [arm64] jump_label.h: use asm_volatile_goto macro instead of "asm goto" - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED - [s390x] qeth: use vzalloc for QUERY OAT buffer - [s390x] qeth: don't dump past end of unknown HW header - cifs: read overflow in is_valid_oplock_break() - xen/manage: don't complain about an empty value in control/sysrq node - xen: avoid crash in disable_hotplug_cpu - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage - sysfs: Do not return POSIX ACL xattrs via listxattr - smb2: fix missing files in root share directory listing - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() - gpiolib: Free the last requested descriptor - proc: restrict kernel stack dumps to root (CVE-2018-17972) - ocfs2: fix locking for res->tracking and dlm->tracking_list - dm thin metadata: fix __udivdi3 undefined on 32-bit https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.133 - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly - [amd64] x86/vdso: Fix asm constraints on vDSO syscall fallbacks - [amd64] x86/vdso: Fix vDSO syscall fallback asm constraint regression - PCI: Reprogram bridge prefetch registers on resume - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys - PM / core: Clear the direct_complete flag on errors - dm cache metadata: ignore hints array being too small during resize - dm cache: fix resize crash if user doesn't reload cache table - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI - USB: serial: simple: add Motorola Tetra MTP6550 id - tty: Drop tty->count on tty_reopen() failure - cgroup: Fix deadlock in cpu hotplug path - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait - ath10k: fix kernel panic issue during pci probe - f2fs: fix invalid memory access - ucma: fix a use-after-free in ucma_resolve_ip() - ubifs: Check for name being NULL while mounting - ath10k: fix scan crash due to incorrect length calculation - ebtables: arpreply: Add the standard target sanity check - [x86] fpu: Remove use_eager_fpu() - [x86] fpu: Remove struct fpu::counter - Revert "perf: sync up x86/.../cpufeatures.h" - [x86] fpu: Finish excising 'eagerfpu' https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.134 - [armhf] mfd: omap-usb-host: Fix dts probe of children - scsi: iscsi: target: Don't use stack buffer for scatterlist - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() - sound: enable interrupt after dma buffer initialization - [arm64,armhf] stmmac: fix valid numbers of unicast filter entries - [x86] kvm/lapic: always disable MMIO interface in x2APIC mode - ext4: Fix error code in ext4_xattr_set_entry() - mm/vmstat.c: fix outdated vmstat_text - mach64: detect the dot clock divider correctly on sparc - [x86] i2c: i2c-scmi: fix for i2c_smbus_write_block_data - xhci: Don't print a warning when setting link state for disabled ports - bnxt_en: Fix TX timeout during netpoll. - bonding: avoid possible dead-lock - ip6_tunnel: be careful when accessing the inner header - ip_tunnel: be careful when accessing the inner header - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() - ipv6: take rcu lock in rawv6_send_hdrinc() - [armhf] net: dsa: bcm_sf2: Call setup during switch resume - ]arm64] net: hns: fix for unmapping problem when SMMU is on - net: ipv4: update fnhe_pmtu when first hop's MTU changes - net/ipv6: Display all addresses in output of /proc/net/if_inet6 - net/usb: cancel pending work when unbinding smsc75xx - qlcnic: fix Tx descriptor corruption on 82xx devices - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface - team: Forbid enslaving team device to itself - [armhf] net: dsa: bcm_sf2: Fix unbind ordering - [armhf] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 - tcp/dccp: fix lockdep issue when SYN is backlogged - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt - inet: frags: change inet_frags_init_net() return value - inet: frags: add a pointer to struct netns_frags - inet: frags: refactor ipfrag_init() - inet: frags: refactor ipv6_frag_init() - inet: frags: refactor lowpan_net_frag_init() - ipv6: export ip6 fragments sysctl to unprivileged users - rhashtable: add schedule points - inet: frags: use rhashtables for reassembly units - inet: frags: remove some helpers - inet: frags: get rif of inet_frag_evicting() - inet: frags: remove inet_frag_maybe_warn_overflow() - inet: frags: do not clone skb in ip_expire() - ipv6: frags: rewrite ip6_expire_frag_queue() - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB - ip: discard IPv4 datagrams with overlapping segments. - net: speed up skb_rbtree_purge() - net: modify skb_rbtree_purge to return the truesize of all purged skbs. - ipv6: defrag: drop non-last frags smaller than min mtu - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends - net: add rb_to_skb() and other rb tree helpers - ip: use rb trees for IP frag queue. - ip: add helpers to process in-order fragments faster. - ip: process in-order fragments efficiently - ip: frags: fix crash in ip_do_fragment() - ipv4: frags: precedence bug in ip_expire() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135 - media: af9035: prevent buffer overflow on write - batman-adv: Fix segfault when writing to throughput_override - batman-adv: Fix segfault when writing to sysfs elp_interval - batman-adv: Prevent duplicated nc_node entry - batman-adv: Prevent duplicated softif_vlan entry - batman-adv: Prevent duplicated global TT entry - batman-adv: Prevent duplicated tvlv handler - batman-adv: fix backbone_gw refcount on queue_work() failure - batman-adv: fix hardif_neigh refcount on queue_work() failure - [armhf] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs - [powerpc*/*64*] scsi: ibmvscsis: Fix a stringop-overflow warning - [powerpc*/*64*] scsi: ibmvscsis: Ensure partition name is properly NUL terminated - [arm64] drm: mali-dp: Call drm_crtc_vblank_reset on device init - scsi: sd: don't crash the host on invalid commands - net/mlx4: Use cpumask_available for eq->affinity_mask - [powerpc*] tm: Fix userspace r13 corruption - [powerpc*] tm: Avoid possible userspace r1 corruption on reclaim - [amd64] iommu/amd: Return devid as alias for ACPI HID devices - mremap: properly flush TLB before releasing the page (CVE-2018-18281) - mm: Preserve _PAGE_DEVMAP across mprotect() calls - netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info - HID: quirks: fix support for Apple Magic Keyboards - usb: gadget: serial: fix oops when data rx'd after close - sched/cputime: Convert kcpustat to nsecs - sched/cputime: Increment kcpustat directly on irqtime account - sched/cputime: Fix ksoftirqd cputime accounting regression - [x86] HV: properly delay KVP packets when negotiation is in progress . [ Ben Hutchings ] * Resolve ABI changes caused by upstream fix for CVE-2018-5391: - Revert "inet: frags: fix ip6frag_low_thresh boundary" - Revert "inet: frags: reorganize struct netns_frags" - Revert "rhashtable: reorganize struct rhashtable layout" - Revert "inet: frags: break the 2GB limit for frags storage" - inet: frags: Avoid ABI change in 4.9.134 - sk_buff: Avoid ABI change in 4.9.134 - snmp: Remove the ReasmOverlaps statistic - ipv6: Ignore ABI changes in fragment reassembly functions * [x86] fpu: Avoid ABI change in 4.9.133 * power: Avoid ABI change in 4.9.131 * slub: Avoid ABI change in 4.9.131 * media: v4l: Avoid ABI change in 4.9.131 * netdev: Hide netdev_notifier_info_ext from modules * [x86] Revert "x86/mm: Expand static page table for fixmap space" linux-igd (1.0+cvs20070630-5+deb9u1) stretch; urgency=medium . * QA upload. * Set maintainer to the QA group. * Make the init script require $network; patch by Nye Liu (Closes: #885826) lttng-modules (2.9.0-1+deb9u1) stable; urgency=medium . * [c3d8eab] Stretch gbp branch config * [ee40323] Fix build on linux-rt 4.9 kernels. (Closes: #864404) * [b20f74a] Fix build on >= 4.9.0-3 kernels (Closes: #889901) mistral (3.0.0-4+deb9u1) stretch; urgency=medium . * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files, applied upstream patch: remove extra information from std.ssh action. (Closes: #912714). monkeysign (2.2.3+deb9u1) stretch; urgency=medium . * upload to Debian stable mpqc (2.3.1-18+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport the sc-libtool fix from 2.3.1-19. . [ Michael Banck ] * debian/libsc-dev.install: Install sc-libtool as well, thanks to Hideki Yamane (closes: #873719). mupdf (1.9a+ds1-4+deb9u4) stretch-security; urgency=high . * Fix CVE-2017-17866, CVE-2018-1000037, CVE-2018-1000040, CVE-2018-5686, CVE-2018-6187, and CVE-2018-6192 (Closes: #885120, #887130, #888464, #888487) netatalk (2.2.5-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Unauthenticated remote code execution in Netatalk (CVE-2018-1160) nginx (1.10.3-1+deb9u2) stretch-security; urgency=high . * Backport http2_max_requests directive needed for CVE-2018-16844 mitigation * Backport upstream fixes for 3 CVEs (Closes: #913090) + CVE-2018-16843 Excessive memory usage in HTTP/2 + CVE-2018-16844 Excessive CPU usage in HTTP/2 This change limits the maximum allowed number of idle state switches to 10 * http2_max_requests (i.e., 10000 by default). This limits possible CPU usage in one connection, and also imposes a limit on the maximum lifetime of a connection + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module nvidia-graphics-drivers (390.87-8~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. . nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. . nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. . nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. . nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. . nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". . nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to unsupported relocations. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. . nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. - Fixed a bug that caused kwin OpenGL compositing to crash when launching certain OpenGL applications. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. . nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. . nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) . nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. * (Closes: #884917) . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) . nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Fixed intermittent hangs of fullscreen Vulkan applications when focused away (e.g., by using the alt-tab key combination) on non-composited desktops. - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112, #902375) . nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. . nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. . nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. (Closes: #894338) https://nvidia.custhelp.com/app/answers/detail/a_id/4649 - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. . nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." . [ Andreas Beckmann ] * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. . nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. . nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. * (Closes: #872988) . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. . nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the Volta GPUs (VDPAU feature set I), e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. . nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4 (unstable), 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build for Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx short lived branch. . nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. . nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). (Closes: #881164) - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in NVIDIA's license, which warns that the drivers are licensed for usage with NVIDIA hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. nvidia-graphics-drivers (390.87-8~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-8) unstable; urgency=medium . * Tune more package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. . nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. * Drop versioned constraints that are satisfied in jessie. nvidia-graphics-drivers (390.87-7) unstable; urgency=medium . * Updated French (fr) debconf translations by Quentin Lejard. (Closes: #920940) * Use d/control.md5sum to keep track of d/control being up-to-date. * Tune package relationships to prevent that installing packages from nvidia-graphics-drivers-legacy-390xx driver pulls in packages from nvidia-graphics-drivers via Recommends. * Drop versioned constraints that are satisfied in wheezy. * Drop versioned constraints that are satisfied in jessie. nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . [ Andreas Beckmann ] * Switch to debhelper-compat (= 12). nvidia-graphics-drivers (390.87-6~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-6) unstable; urgency=medium . [ Luca Boccassi ] * Add ipmi-user.patch and vm-insert-pfn.patch to fix kernel module build for Linux 4.20 and newer. (Closes: #917586) * Update Swedish (sv) debconf translation. Thank you Martin Bagge! (Closes: #918018) . [ Andreas Beckmann ] * Switch to debhelper-compat (= 12). . nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. nvidia-graphics-drivers (390.87-5) unstable; urgency=medium . * Prefer KBUILD_LDFLAGS (used since 4.19) over LDFLAGS. (Closes: #916883) * Work around update-alternatives bug #916799 and re-register the alternative to clean-up leftover slaves. * Bump Standards-Version to 4.3.0. No changes needed. * Update lintian overrides. nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. nvidia-graphics-drivers (390.87-4~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-4) unstable; urgency=medium . [ Andreas Beckmann ] * Drop libnvidia-egl-wayland1, nvidia-egl-wayland-{common,icd} packages. These will be provided by src:egl-wayland. (Closes: #915824) * Add more Conflicts between GLVND/non-GLVND packages to smoothen some install paths with --install-recommends enabled. . [ Philipp Kern ] * debian/gen-control.pl: Generate debian/control from debian/control.in. . nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Switch to debhelper-compat (= 11). nvidia-graphics-drivers (390.87-3) unstable; urgency=medium . * Make libgles-nvidia1 a full citizen again, libglvnd now builds libgles1. * libnvidia-fatbinaryloader: Prevent co-installation with the same upstream version of libnvidia-legacy-390xx-fatbinaryloader. * Pass the private library directory to dh_shlibdeps using the -l option instead of LD_LIBRARY_PATH, fixing FTBFS with dpkg 1.19.1. * Add Build-Depends-Package to symbols files where appropriate and override symbols-file-missing-build-depends-package-field elsewhere. * Clean up and unify rule style in debian/rules. * Add debian/rules targets for archiving the tarballs in a separate repository using sparse checkouts and git-lfs as storage backend. * Switch to debhelper-compat (= 11). nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". nvidia-graphics-drivers (390.87-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.87-2) unstable; urgency=medium . * Reinstate cc_version_check-gcc5.patch. (Closes: #908568) * nvidia-kernel-dkms.README.Debian: Document that using a mismatching binutils version may result in modules failing to load with errors like "Invalid module format", "Unknown rela relocation: 4". . nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to unsupported relocations. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. nvidia-graphics-drivers (390.87-1) unstable; urgency=medium . * New upstream long lived branch release 390.87 (2018-08-27). - Fixed a resource leak introduced in the 390 series of drivers that could lead to reduced performance after starting and stopping several OpenGL and/or Vulkan applications. . [ Luca Boccassi ] * Update nv-readme.ids. * Add drm-mode.patch to fix nvidia-drm build for Linux 4.19. (Closes: #908359) . [ Andreas Beckmann ] * Remove cc_version_check-gcc5.patch and re-enable strict version checks, using mismatching compiler versions may create unloadable modules due to mismatching symvers. * Refresh patches. * Synchronize the module build debhelper sequence with debhelper 10. * Bump Standards-Version to 4.2.1. No changes needed. nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. nvidia-graphics-drivers (390.77-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Use vulkan from stretch-backports. . nvidia-graphics-drivers (390.77-1) unstable; urgency=medium . * New upstream long lived branch release 390.77 (2018-07-16). - Improved compatibility with recent Linux kernels. - Fixed an intermittent hang of Vulkan applications running fullscreen when flipping is allowed. - Removed informational messages that were printed by nvidia-modeset.ko whenever a GPU device was allocated or freed. * New upstream release 367 series. - Updated the OpenGL driver to allow the use of integer format (SINT/UINT) color attachments with depth attachments in Frame Buffer Objects. . nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-graphics-drivers (390.67-3) unstable; urgency=medium . [ Luca Boccassi ] * Add drm_control_allow.patch to fix kernel module build for Linux 4.18 and newer. . [ Andreas Beckmann ] * The libGLX_indirect.so.0 alternative is now handled by glx-alternatives. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) nvidia-graphics-drivers (390.67-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Use libglvnd and MESA from stretch-backports. . nvidia-graphics-drivers (390.67-2) unstable; urgency=high . * Add kmem_cache_create_usercopy.patch from Red Hat, fixing "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_cache'" on Linux kernels that have disabled CONFIG_HARDENED_USERCOPY_FALLBACK (i.e. linux-image-4.16.0-2-* or newer). (Closes: #901919) . nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) . nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Fixed intermittent hangs of fullscreen Vulkan applications when focused away (e.g., by using the alt-tab key combination) on non-composited desktops. - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112) . nvidia-graphics-drivers (390.48-4) UNRELEASED; urgency=medium . * Stop building lib*-glvnd-nvidia, now built from the 390xx legacy driver. * Switch to debhelper compat level 11. . nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. nvidia-graphics-drivers (390.67-1) unstable; urgency=medium . * New upstream long lived branch release 390.67 (2018-06-05). - Fixed a bug that could cause kernel panics when using Quadro SDI Capture hardware. - Fixed an intermittent crash when launching Vulkan applications. - Fixed an intermittent crash when launching applications through Wine. - Fixed a bug that caused the driver, in some low bandwidth DisplayPort configurations, to not implicitly enable display dithering. This resulted in visible banding. . [ Andreas Beckmann ] * Convert packaging repository from SVN to GIT. * Update nv-readme.ids. * nvidia-detect: Drop support for wheezy(-lts) (EoL). * Add NEWS entry for using the driver on Linux 4.16.16-1 or newer, which may require the kernel boot option slab_common.usercopy_fallback=y as a workaround. (See #901919 for details.) * nvidia-drm-outputclass.conf: Prepend (in a backwards-compatible way) ModulePath "/usr/lib/xorg/modules/linux" since xserver 1.20 no longer does that. (Closes: #900248, #900264, #900378, #900766) nvidia-graphics-drivers (390.59-1) unstable; urgency=medium . * New upstream long lived branch release 390.59 (2018-05-16). - Added support for the following GPUs: GeForce GTX 1050 with Max-Q Design, Tesla V100-FHHL-16GB, Quadro P3200, Quadro P4200. . [ Andreas Beckmann ] * Stop building lib*-glvnd-nvidia, now built from the 390xx legacy driver. * Switch to debhelper compat level 11. . [ Luca Boccassi ] * Drop swiotlb.patch, fixed upstream. * Update nv-readme.ids. * Update symbols files. * Add xorg-video-abi-24 as alternative dependency. * Bump xserver-xorg-core dependency to << 2:1.20.99 for ABI 24. (Closes: #900112) nvidia-graphics-drivers (390.48-3) unstable; urgency=medium . * Prepare nvidia-detect for the upcoming nvidia-legacy-390xx packages. * Prepare for the removal of i386/armhf support in 396.xx. * Support renamed variants of libnvidia-egl-wayland1/nvidia-egl-wayland-icd in legacy drivers. * Restrict watch file to releases from the 390.xx legacy branch. nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. nvidia-graphics-drivers (390.48-2~bpo9+3) stretch-backports; urgency=medium . * Add Conflicts against glvnd-aware MESA >= 17 from stretch-backports. * Fix some upgrade issues from older versions in stretch. nvidia-graphics-drivers (390.48-2~bpo9+2) stretch-backports; urgency=medium . * Disable alternative dependencies and add Conflicts against libglvnd from stretch-backports. nvidia-graphics-drivers (390.48-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-graphics-drivers (390.48-2) unstable; urgency=medium . [ Luca Boccassi ] * Fix loading nvidia kernel module on Linux 4.16 due to missing symbol. (Closes: #895429) . [ Andreas Beckmann ] * Bump Standards-Version to 4.1.4. No changes needed. . nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. . nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." . [ Andreas Beckmann ] * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. . nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. . nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. . nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the Volta GPUs (VDPAU feature set I), e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. . nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4 (unstable), 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. . nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx short lived branch. . nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. . nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). (Closes: #881164) - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in NVIDIA's license, which warns that the drivers are licensed for usage with NVIDIA hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. . nvidia-graphics-drivers (384.130-1) stretch; urgency=medium . * New upstream long lived branch release 384.130 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-6253. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Improved compatibility with recent Linux kernels. - Fixed a string concatenation bug that caused libGL to accidentally try to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases where /tmp isn't accessible. (Closes: #888028) - Increased the version numbers of the GLVND libGL, libGLESv1_CM, libGLESv2, and libEGL libraries, to prevent concurrently installed non-GLVND libraries from taking precedence in the dynamic linker cache. * New upstream release 340 series. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Luca Boccassi ] * Install the renamed GLVND libraries and add SONAME symlinks. . [ Andreas Beckmann ] * Bump the required glx-diversions/glx-alternative-nvidia version for the renamed GLVND libraries. * Upload to stretch . nvidia-graphics-drivers (384.111-4~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Relax the libvulkan1 (build-)dependency. * Do not conflict with *-glvnd-nvidia, there is no libglvnd in stretch. * Continue recommending the GLESv1 library for stretch. . nvidia-graphics-drivers (384.111-4) unstable; urgency=medium . * nvidia-kernel-{dkms,source}: Mention the supported architecture(s) in the long Description. * Use dh_missing --fail-missing. * Update lintian overrides. nvidia-graphics-drivers (390.48-1) unstable; urgency=medium . * New upstream long lived branch release 390.48 (2018-03-28). * Fixed CVE-2018-6249, CVE-2018-625. https://nvidia.custhelp.com/app/answers/detail/a_id/4649 (Closes: #894338) - Added support for the following GPUs: Quadro GV100, Tesla V100-SXM2-32GB, Tesla V100-PCIE-32GB, Tesla V100-DGXS-32GB. - Updated the driver to prevent G-SYNC from being enabled when a Quadro Sync board is installed. G-SYNC and Quadro Sync were always mutually incompatible features, and this change makes it easier to use G-SYNC capable monitors on Quadro Sync configurations, as it is now no longer necessary to manually disable G-SYNC. - Further improved the fix for occasional flicker when using the X driver's composition pipeline. This was mostly fixed in 390.42, but now the fix should be more complete. . [ Luca Boccassi ] * Update nv-readme.ids. * Drop linux-4.15.patch, merged upstream. . [ Andreas Beckmann ] * Merge changes from 384.130-1 (UNRELEASED). * Update lintian overrides. nvidia-graphics-drivers (390.42-1) unstable; urgency=medium . * New upstream long lived branch release 390.42 (2018-03-12). - Fixed a regression, introduced in 390.12, that caused occasional flicker when using the X driver's composition pipeline, for example when using screen transformations like rotation, or the "ForceCompositionPipeline" or "ForceFullCompositionPipeline" options." * New upstream release 384 series. - Fixed a string concatenation bug that caused libGL to accidentally try to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases where /tmp isn't accessible. (Closes: #888028) - Increased the version numbers of the GLVND libGL, libGLESv1_CM, libGLESv2, and libEGL libraries, to prevent concurrently installed non-GLVND libraries from taking precedence in the dynamic linker cache. * Install the renamed GLVND libraries and add SONAME symlinks. * Update symbols files. * Add linux-4.15 patch from Archlinux. (Closes: #892413) * Remove obsolete bits from README.source. nvidia-graphics-drivers (390.25-2) unstable; urgency=medium . * Merge changes from 387.34-4. * Upload to unstable. nvidia-graphics-drivers (390.25-1) experimental; urgency=medium . * New upstream long lived branch release 390.25 (2018-01-29). - Fixed a regression introduced in 390.12 that prevented displays from working normally when running multiple X screens with emulated overlays. - Added support for the following GPUs: GeForce GTX 1060 5GB, Quadro P620. - Fixed a regression introduced in 390.12 that caused occasional hangs and hard lockup messages in the system log when screen transformations are in use. * New upstream release 340 series. - Fixed a bug which could cause X servers that export a Video Driver ABI earlier than 0.8 to crash when running X11 applications which call XRenderAddTraps(). . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz. . [ Andreas Beckmann ] * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * Merge changes from 384.111-4. * nvidia-detect: Report devices only supported on amd64. * nvidia-detect: Add PCI ID list for 384.111 in stretch. nvidia-graphics-drivers (390.12-1) experimental; urgency=medium . * New upstream beta 390.12 (2018-01-04). * Fixed CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown). https://nvidia.custhelp.com/app/answers/detail/a_id/4611 (Closes: #886852) - Added new application profile settings, "EGLVisibleDGPUDevices" and "EGLVisibleTegraDevices", to control which discrete and Tegra GPU devices, respectively, may be enumerated by EGL. See the "Application Profiles" appendix of the driver README for more details. - Corrected the SONAME of the copy of the libnvidia-egl-wayland library included in the .run installer package to libnvidia-egl-wayland.so.1. The SONAME had previously been versioned incorrectly with the full version number of the library. - Updated nvidia.ko to veto the ACPI_VIDEO_NOTIFY_PROBE event on kernels that allow the handler for this event to be overridden, to improve interaction between the NVIDIA driver and acpi_video on display hotplug events. - Fixed a bug that prevented Xinerama Info from being handled properly in SLI or Base Mosaic layouts with more than 24 displays. - Updated the X driver's composition pipeline (used for rotation, warp and blend, transformation matrices, etc) to also support stereo. - Fixed a bug where GetTexSubImage() would read incorrect data into a pixel buffer object when supplied with a target of GL_TEXTURE_1D_ARRAY and a non-zero yoffset value. - Added support for generic active stereo with in-band DisplayPort signaling. The X configuration option "InbandStereoSignaling" is deprecated in favor of this stereo mode. See "Appendix B. X Config Options" in the README for more information. - Modified the driver to avoid restoring framebuffer console modes on virtual reality head-mounted displays. * New upstream release 387 series. - Added support for the following GPUs: TITAN Xp COLLECTORS EDITION, GeForce GTX 1070 Ti, TITAN V [amd64]. - Fixed a bug that could cause a system crash when using the new NVreg_EnableBacklightHandler kernel module parameter on GPUs with no displays connected. . [ Luca Boccassi ] * Update nv-readme.ids. * Update symbols files. * Update lintian overrides. . [ Andreas Beckmann ] * Split nv-readme.ids into nv-readme.ids.common and nv-readme.ids.$ARCH, the GPUs with VDPAU feature set I, e.g. Tesla V100 and Titan V, are only supported on amd64. * Upload to experimental. nvidia-graphics-drivers (387.34-4) unstable; urgency=medium . * libcuda1: Add Provides: libcuda-9.1-1{,-i386}. * nvidia-modprobe.conf: Consistently handle nvidia-modeset. * Merge changes from 384.111-4. * Merge changes from 384.111-4~deb9u1 (stretch). * Update lintian overrides. * Upload to unstable. nvidia-graphics-drivers (387.34-3) experimental; urgency=medium . [ Luca Boccassi ] * Add timer.patch to fix kernel module build on Linux 4.15 and newer. . [ Andreas Beckmann ] * Merge changes from 384.111-1. * Restrict watch file to releases from the 387.xx long lived branch. nvidia-graphics-drivers (387.34-2) experimental; urgency=medium . * Support easier and consistent switching between GLVND/non-GLVND variants. * nvidia-driver-libs{,-i386}: Depend only on the GLVND variants. * nvidia-driver-libs-nonglvnd{,-i386}: New metapackages depending only on the non-GLVND variants. (Closes: #864497) * Stop shipping the classic libnvidia-tls.so.* and ship the modern one (for Linux 2.6 onwards) in the regular libdir instead of the tls/ subdir. (Closes: #883615) * Add #tls# substitution for the tls/ source directory. * Bump Standards-Version to 4.1.2. No changes needed. nvidia-graphics-drivers (387.34-1) experimental; urgency=medium . * New upstream short lived branch release 387.34 (2017-11-24). - Fixed a bug that caused Vulkan X11 swapchains to fail on GPUs without a display engine, such as some Tesla-branded graphics cards and some Optimus laptops. - Fixed a bug that caused fullscreen Vulkan applications to hang on some Kepler GPUs, such as the GeForce GTX 680. - Fixed a bug where the G-SYNC indicator was reporting "normal" instead of "G-SYNC" on Vulkan applications when G-SYNC was enabled. * New upstream short lived branch release 387.22 (2017-10-30). - Fixed a regression that could cause driver errors when setting modes that include DisplayPort Multi-Stream Transport devices. - Added an nvidia.ko kernel module parameter, NVreg_EnableBacklightHandler, which can be used to enable experimental handling of laptop backlight brightness through /sys/class/backlight/. This handler overrides the ACPI-based one provided by the video.ko kernel module. NVreg_EnableBacklightHandler is disabled by default. - Added G-SYNC to all supported Vulkan swapchains for Maxwell and up. G-SYNC is enabled by default when using G-SYNC-ready monitors. For direct-to-display swapchains, an application profile with "GLGSYNCAllowed" setting set to 'false' can be used to disable this feature: { "rules" : [ { "pattern" : [], "profile" : [ "GLGSYNCAllowed", false ] } ] } * New upstream beta 387.12 (2017-10-03). - Fixed a regression that caused some display connectors on some GPUs to not report a connected HDMI or DisplayPort audio device even if the connected monitor supports audio. - Fixed a race condition that could lead to crashes when OpenGL programs manipulated vertex buffer objects from multiple threads simultaneously. - Improved performance of fullscreen Vulkan applications using X11 swapchains. This optimization will cause more events that trigger an out-of-date swapchain, such as when entering or leaving fullscreen mode. (This is commonly encountered when using the alt-tab key combination, for example.) Applications that do not properly respond to the VK_ERROR_OUT_OF_DATE_KHR return code may not function properly when these events occur. See section 30.8 of the Vulkan specification. - Added support for YUV 4:2:0 compression for monitors connected via DisplayPort in configurations where either the display or GPU is incapable of driving the current mode in RGB 4:4:4. See the description in the "Programming Modes" appendix for details. - Added framebuffer console hot plug handling to nvidia-modeset. Note that hot plugging is only handled when nvidia-modeset is initialized; for example, when Xorg or nvidia-persistenced is running or when nvidia-drm is loaded with the "modeset=1" parameter. - Added an "AllowGSYNC" MetaMode attribute that can be used to disable G-SYNC completely. This can be use to allow enabling features that are incompatible with G-SYNC, such as Ultra Low Motion Blur or Frame Lock. - Fixed several problems that prevented the "cc_version_check" sanity test from running correctly when building the NVIDIA kernel modules. As these problems would have masked mismatches between the compiler versions used to build the kernel and the NVIDIA kernel modules for an extended period of time, nvidia-installer has been updated to ignore CC version mismatches by default when they are detected. - Tiled monitors formerly resulted in a separate Xinerama screen being reported for each tile. They will now, by default, be combined into a single large Xinerama screen. - The individual panels in a tiled monitor will now be arranged based on the layout information provided in the monitor's EDID. This can be overridden by either manually specifying offsets or using the "MetaModeOrientation" option. - Disabled interlaced modes over DisplayPort by default due to incomplete support in the GPU. Added "AllowDpInterlaced" mode validation token to override this default behavior and allow interlaced modes over DisplayPort protocol anyway. * New upstream release 384 series. - Fixed a regression that prevented displays connected via some types of passive adapters (e.g. DMS-59 to VGA or DVI) from working correctly. The regression was introduced with driver version 384.98. - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest available PowerMizer performance level when under load. . [ Luca Boccassi ] * Update d/copyright with new 6.3 paragraph in Nvidia's license, which warns that the drivers are licensed for usage with Nvidia hardware. * Drop nvidia-drm-crtc.patch, fixed upstream, and refresh nvidia-drm-master-dev.patch and use-kbuild-compiler.patch to remove fuzz. * Adjust filenames for new minor ABI revision of libnvidia-egl-wayland1 (libnvidia-egl-wayland.so.1.0.1 -> libnvidia-egl-wayland.so.1.0.2). * Update symbols files. * Update nv-readme.ids. * Refresh nvidia-use-ARCH.o_binary.patch to remove fuzz from 387.22. . [ Andreas Beckmann ] * Update lintian overrides. * Upload to experimental. nvidia-modprobe (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-modprobe (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-modprobe (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-modprobe (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-modprobe (384.111-2) unstable; urgency=medium . * Add setuid.patch to run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls. Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! (Closes: #888952) * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-persistenced (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-persistenced (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-persistenced (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-persistenced (390.25-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-persistenced (384.111-1) unstable; urgency=medium . * New upstream release. * B-D: dpkg-dev (>= 1.18.8) for SOURCE_DATE_EPOCH in pkg-info.mk. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-settings (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. * Revert to debhelper compat level 10. . nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. . nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. . nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. . nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. . nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. * Upload to experimental. . nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. . nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. nvidia-settings (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (390.87-1) unstable; urgency=medium . * New upstream release 390.87. * Add Build-Depends-Package field to symbols file. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-settings (390.67-1) unstable; urgency=medium . * New upstream release 390.67. * Use reproducibility patches from upstream. * Bump Standards-Version to 4.1.5. No changes needed. nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. nvidia-settings (390.48-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-settings (390.48-2) unstable; urgency=medium . * Add Provides+Conflicts: nvidia-settings-gtk-${nvidia:Version} to prevent file conflicts with the legacy package built from the same upstream version. * Use dh_missing --fail-missing. . nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. . nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. . nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. * Upload to experimental. . nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. . nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. . nvidia-settings (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-settings (390.48-1) unstable; urgency=medium . * New upstream release 390.48. * Bump Standards-Version to 4.1.4. No changes needed. * Switch to debhelper compat level 11. nvidia-settings (390.25-1) unstable; urgency=medium . * New upstream release 390.25. * Only build nvidia-settings on platforms where it is going to be used. (Closes: #892184) * Upload to unstable. nvidia-settings (390.12-1) experimental; urgency=medium . * New upstream release 390.12. - Updated the SLI Mosaic layout page in the nvidia-settings control panel to support topologies with up to 32 displays. - Added an OpenGL stereo preview feature to the screen page in nvidia-settings. * Merge changes from 384.111. nvidia-settings (387.34-2) unstable; urgency=medium . * Generate the GTK3|GTK2 dependency dynamically. (Closes: #885709) * Merge changes from 384.111-1 (unstable), 384.111-1~deb9u1 (stretch). * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. * Upload to unstable. nvidia-settings (387.34-1) experimental; urgency=medium . * New upstream release 387.34. * New upstream release 387.12. - Fixed a bug that sometimes prevented the "Reset Default Configuration" button in the nvidia-settings "ECC Settings" page from being available when the ECC configuration is set to a non-default state. - Fixed a bug that caused nvidia-settings to enforce overly aggressive limits on display positions in the "X Server Display Configuration" page under some circumstances. - Fixed a bug that could cause the "Enable Base Mosaic (Surround)" checkbox in nvidia-settings to disappear when an X screen, rather than a display, is selected in the "X Server Display Configuration" page. - Fixed a bug that caused the nvidia-settings control panel to retain some settings that had been applied, but not confirmed. This resulted in unwanted settings being applied to subsequent settings changes. * Refresh patches. * Bump Standards-Version to 4.1.2. No changes needed. * Upload to experimental. nvidia-settings (384.111-1) unstable; urgency=medium . * New upstream release 384.111. * Bump Standards-Version to 4.1.3. No changes needed. nvidia-xconfig (390.87-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. . nvidia-xconfig (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-xconfig (390.87-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . nvidia-xconfig (390.87-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.3.0. No changes needed. . nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. . nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. . nvidia-xconfig (384.111-1~deb9u1) stretch; urgency=medium . * Rebuild for stretch. nvidia-xconfig (390.25-1) unstable; urgency=medium . * New upstream release. nvidia-xconfig (387.34-1) unstable; urgency=medium . * New upstream release. * Add debian/upstream/metadata. * Fix new Lintian issues. * Switch Vcs-* URLs to salsa.debian.org. nvidia-xconfig (384.111-1) unstable; urgency=medium . * New upstream release. * Bump Standards-Version to 4.1.3. No changes needed. openni2 (2.2.0.33+dfsg-7+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix armhf baseline violation and armel FTBFS caused by NEON usage. (Closes: #874220) openssh (1:7.4p1-10+deb9u5) stretch; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-20685: disallow empty filenames or ones that refer to the current directory (Closes: #919101) * CVE-2019-6109: sanitize scp filenames via snmprintf (Closes: #793412) * CVE-2019-6111: check in scp client that filenames sent during remote->local directory copies satisfy the wildcards specified by the user openssl (1.1.0j-1~deb9u1) stretch-security; urgency=medium . * Import 1.1.0j - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-0735 (Timing vulnerability in ECDSA signature generation) - add new symbols . openssl (1.1.0i-1~deb9u1) stretch; urgency=medium . * Import 1.1.0i - Fix segfault ERR_clear_error (Closes: #903566) - Fix commandline option for CAengine (Closes: #907457) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) * Abort the build if symbols are discovered which are not part of the symbols file. * use signing-key.asc and a https links for downloads openssl (1.1.0h-4) unstable; urgency=medium . * Build the binary in indep mode again, so we can install the documentation again. * Drop @echo in flavour so it builds again on Alpha * Add a 25-test_verify.t for autopkgtest which runs against intalled openssl binary. openssl (1.1.0h-3) unstable; urgency=medium . * Drop afalgeng on kfreebsd-* which go enabled because they inherit from the linux target. * Fix regression with session cache use by clients (See: #895035). * openssl rehash: exit 0 on warnings, same as c_rehash (See: #895473 and #895482). * Fix debian-rules-sets-dpkg-architecture-variable. * Let VCS-* point to salsa.d.o. * Don't build the binary package in binary-indep mode. * Update to policy 4.1.4 - only Suggest: libssl-doc instead Recommends (only documentation and example code is shipped). - drop Priority: important. - use signing-key.asc and a https links for downloads * Use compat 11. - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it seems to make sense. * Fix CVE-2018-0737 (Closes: #895844). openssl (1.1.0h-2) unstable; urgency=high . * Revert "only quote stuff that actually needs quoting" so c_rehash has the quotes again (Closes: #894282). openssl (1.1.0h-1) unstable; urgency=medium . * Abort the build if symbols are discovered which are not part of the symbols file. * Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007). * Enable afalgeng on Linux targets (Closes: #888305) * Add riscv64 target (Closes: #891797). * New upstream release 1.1.0h - Drop applied patches: aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-binut.patch - Update symbols file. - Fix CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) - Fix CVE-2018-0733 (Incorrect CRYPTO_memcmp on HP-UX PA-RISC) - Fix CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) * Correct lhash typo in header file (Closes: #892276). openssl (1.1.0g-2) unstable; urgency=high . * Avoid problems with aes assembler on armhf using binutils 2.29 openssl (1.1.0g-1) unstable; urgency=medium . * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 * Remove patches applied upstream * Temporary enable TLS 1.0 and 1.1 again (#875423) * Attempt to fix testsuite race condition * update no-symbolic.patch to apply openssl (1.1.0f-5) unstable; urgency=medium . * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version(). openssl (1.1.0f-4) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * Add support for arm64ilp32, patch by Wookey (Closes: #867240) . [ Kurt Roeckx ] * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS version. This will likely break things, but the hope is that by the release of Buster everything will speak at least TLS 1.2. This will be reconsidered before the Buster release. * Fix a race condition in the test suite (Closes: #869856) openssl1.0 (1.0.2q-1~deb9u1) stretch-security; urgency=medium . * use signing-key.asc and a https links for downloads * Import 1.0.2q stable release. - CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) - CVE-2018-0732 (Client DoS due to large DH parameter) - CVE-2018-0734 (Timing vulnerability in DSA signature generation) - CVE-2018-5407 (Microarchitecture timing vulnerability in ECC scalar multiplication) openssl1.0 (1.0.2o-1) unstable; urgency=medium . * Add riscv64 (Closes: #891799). * New upstream version 1.0.2o: - Fixes CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could exceed the stack) openssl1.0 (1.0.2n-1) unstable; urgency=medium . * New upstream version 1.0.2n - drop patches which applied upstream: - 0001-Fix-no-ssl3-build.patch - 0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch - Fixes CVE-2017-3737 (Read/write after SSL object in error state) - Fixes CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64) * move to gbp * Abort the build if symbols are discovered which are not part of the symbols file. openssl1.0 (1.0.2m-3) unstable; urgency=medium . * Avoid problems with aes and sha256 assembler on armhf using binutils 2.29 openssl1.0 (1.0.2m-2) unstable; urgency=medium . * Fix no-ssl3-method build openssl1.0 (1.0.2m-1) unstable; urgency=high . [ Kurt Roeckx ] * New upstream version - Fixes CVE-2017-3735 - Fixes CVE-2017-3736 . [ Sebastian Andrzej Siewior] * Add support for arm64ilp32, Patch by Wookey (Closes: #874709). openvpn (2.4.0-6+deb9u3) stretch; urgency=medium . * Fix NCP behaviour on TLS reconnect, causing "AEAD Decrypt error: cipher final failed" errors (Closes: #909430, #910937) parsedatetime (2.1-3+deb9u1) stretch; urgency=medium . * Rebuild to add python3 version for certbot stable update. pdns (4.0.3-1+deb9u3) stretch; urgency=medium . * Fix (security) bugs, partially using upstream patches: * CVE-2018-1046 in dnsreplay (Closes: #898255) * CVE-2018-10851 (Closes: #913163) * MySQL queries with stored procedures (Closes: #889798) * ldap, lua, opendbx backend not finding domains (Closes: #911659) pdns-recursor (4.0.4-1+deb9u4) stretch; urgency=high . * Security upload for CVE-2018-10851 CVE-2018-14626 CVE-2018-14644. perl (5.24.1-3+deb9u5) stretch-security; urgency=high . * [SECURITY] CVE-2018-18311: Integer overflow leading to buffer overflow and segmentation fault * [SECURITY] CVE-2018-18312: Heap-buffer-overflow write in S_regatom (regcomp.c) * [SECURITY] CVE-2018-18313: Heap-buffer-overflow read in regcomp.c * [SECURITY] CVE-2018-18314: Heap-based buffer overflow in extended character classes photocollage (1.4.3-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . photocollage (1.4.3-2.1) unstable; urgency=medium . * Non-maintainer upload. * Add the missing dependency on gir1.2-gtk-3.0. (Closes: #914440) php-pear (1:1.10.1+submodules+notgz-9+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Don't allow filenames to start with phar:// (CVE-2018-1000888) (Closes: #919147) php7.0 (7.0.33-0+deb9u1) stretch-security; urgency=high . * New upstream version 7.0.33 * Fixed security bugs: + [CVE-2018-19518]: imap_open() function command injection + [CVE-2018-14851]: heap-buffer-overflow (READ of size 48) while reading exif data + [CVE-2018-14883]: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c + [CVE-2018-17082]: XSS due to the header Transfer-Encoding: chunked php7.0 (7.0.32-1) unstable; urgency=medium . * New upstream version 7.0.32 * Rebase patches for PHP 7.0.32 php7.0 (7.0.31-1) unstable; urgency=medium . [ Ondřej Surý ] * New upstream version 7.0.31 * Fix the Vcs-Browser link php7.0 (7.0.30-2) unstable; urgency=medium . * Update Vcs-* links to salsa.d.o * Update maintainer address to team+pkg-php@tracker.d.o php7.0 (7.0.30-1) unstable; urgency=medium . * New upstream version 7.0.30 * Rebase patches for PHP 7.0.30 policykit-1 (0.105-18+deb9u1) stretch-security; urgency=medium . * CVE-2018-19788 (Closes: #915332) postfix (3.1.9-0+deb9u2) stretch; urgency=medium . * Update debian/watch to point to the 3.1 series used in stretch . postfix (3.1.9-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Unset inet_interfaces in postfix-instance-generator to avoid postconf failures when the generator runs during boot (Thanks to Stefan Anders for the patch). Closes: #896155 * Also fix use of postmulti in debian/configure-instance.sh since postfix-instance-generator uses it before the network is up. Closes: #882141 . [Wietse Venema] . * 3.1.9 - Cleanup: added 21 missing *_maps parameters to the default proxy_read_maps setting. Files: global/mail_params.h. . - Bugfix (introduced: 20120117): postconf should scan only built-in or service-defined parameters for ldap, *sql, etc. database names. Files: postconf/postconf_user.c. . - Bugfix (introduced: 19990302): when luser_relay specifies a non-existent local address, the luser_relay feature becomes a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. . - Bugfix (introduced: Postfix 2.8): missing tls_server_start() error propagation in tlsproxy(8) resulting in segfault after TLS handshake error. Found during code maintenance. File: tlsproxy/tlsproxy.c. postfix (3.1.9-0+deb9u1) stretch; urgency=medium . [Scott Kitterman] . * Unset inet_interfaces in postfix-instance-generator to avoid postconf failures when the generator runs during boot (Thanks to Stefan Anders for the patch). Closes: #896155 * Also fix use of postmulti in debian/configure-instance.sh since postfix-instance-generator uses it before the network is up. Closes: #882141 . [Wietse Venema] . * 3.1.9 - Cleanup: added 21 missing *_maps parameters to the default proxy_read_maps setting. Files: global/mail_params.h. . - Bugfix (introduced: 20120117): postconf should scan only built-in or service-defined parameters for ldap, *sql, etc. database names. Files: postconf/postconf_user.c. . - Bugfix (introduced: 19990302): when luser_relay specifies a non-existent local address, the luser_relay feature becomes a black hole. Reported by Jørgen Thomsen. File: local/unknown.c. . - Bugfix (introduced: Postfix 2.8): missing tls_server_start() error propagation in tlsproxy(8) resulting in segfault after TLS handshake error. Found during code maintenance. File: tlsproxy/tlsproxy.c. postgresql-9.6 (9.6.11-0+deb9u1) stretch; urgency=medium . * New upstream version. postgrey (1.36-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Revert the 1.36-3+deb9u1 change due to regression. (see #880047) . postgrey (1.36-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * debian/postgrey.init: create /var/run/postgrey if it does not exist, patch provided by Laurent Bigonville . (Closes: 756813, 880047) postgrey (1.36-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * debian/postgrey.init: create /var/run/postgrey if it does not exist, patch provided by Laurent Bigonville . (Closes: 756813, 880047) pylint-django (0.7.2-1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix the python3-pylint-django dependencies. (Closes: #867413) python-acme (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. * Pull in unreleased version bump of josepy to fix deprecation warnings. * Pull in two patches to help fix josepy compatibility problems. * Pull in a Breaks to require upgrade in a single move. python-acme (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. * Pull in unreleased version bump of josepy to fix deprecation warnings. python-acme (0.27.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump S-V; add Rules-Require-Root: no python-acme (0.25.1-1) unstable; urgency=medium . * New upstream version 0.25.1 python-acme (0.25.1-1~bpo9+1) stretch-backports; urgency=high . * Rebuild for stretch-backports. . python-acme (0.25.1-1) unstable; urgency=medium . * New upstream version 0.25.1 . python-acme (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. . python-acme (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #895863) . python-acme (0.24.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Add new dependency on requests-toolbelt * Drop unnecessary X-Python-Version fields * Add pytest as build-time dep only. python-acme (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #895863) python-acme (0.24.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. python-acme (0.22.2-1) unstable; urgency=medium . * New upstream release. python-acme (0.22.2-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-acme (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! python-acme (0.21.1-1) unstable; urgency=high . * New upstream release. * Cleanup from josepy separation. python-acme (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-acme (0.20.0-1) unstable; urgency=low . * New upstream release. * Add new dependencies introduced upstream. * Bump S-V, debhelper versions. * Move doc-base ref to package instead of package-doc. python-acme (0.19.0-1) unstable; urgency=medium . * New upstream release. python-acme (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-acme (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-acme (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch to python3-sphinx for docs. . python-acme (0.17.0-1) unstable; urgency=medium . * New upstream release. * Reduce dependency on python-requests, following upstream. * Increase priority to optional to comply with Policy v4.0.1.0 * Declare Testsuite using simple autopkgtest. * Bump S-V to 4.0.1. . python-acme (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. . python-acme (0.12.0-1) experimental; urgency=medium . * New upstream release. . python-acme (0.11.1-1) unstable; urgency=medium . * New upstream release. * Drop dep on python3?-dnspython removed upstream python-acme (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch to python3-sphinx for docs. python-acme (0.17.0-1) unstable; urgency=medium . * New upstream release. * Reduce dependency on python-requests, following upstream. * Increase priority to optional to comply with Policy v4.0.1.0 * Declare Testsuite using simple autopkgtest. * Bump S-V to 4.0.1. python-acme (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. python-acme (0.12.0-1) experimental; urgency=medium . * New upstream release. python-acme (0.11.1-1) unstable; urgency=medium . * New upstream release. * Drop dep on python3?-dnspython removed upstream python-arpy (1.1.1-3~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . python-arpy (1.1.1-3) unstable; urgency=low . * Team upload. . [ Christoph Egger ] * Add VCS-* headers . [ Ondřej Nový ] * Fixed homepage (https) * Fixed VCS URL (https) . [ Scott Kitterman ] * Correct substitution variable for python3 interpreter depends (Closes: #867418) * Remove unneeded python:Provides * Update homepage for move to github * Add debian/watch python-certbot (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. (Closes: #887399) python-certbot (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.27.0-1) unstable; urgency=medium . * New upstream version 0.27.0 * Refresh patch after upstream migration to codecov * Bump python-sphinx requirement defensively; bump S-V with no changes * Bump dep on python-acme to 0.26.0~ python-certbot (0.26.1-1) unstable; urgency=medium . * New upstream release. python-certbot (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump S-V; add R-R-R: no python-certbot (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Bump python-acme dep version. python-certbot (0.25.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.24.0-2) unstable; urgency=medium . * Update team email address. (Closes: #899858) python-certbot (0.24.0-1) unstable; urgency=medium . * Add OR to dep on python-distutils for stretch-bpo * New upstream version 0.24.0 * Bump version dep on python3-acme python-certbot (0.23.0-1) unstable; urgency=medium . * New upstream release. * Add testdata back in to prevent test failure in RDeps. (Closes: #894025) * Bump S-V; no changes needed. python-certbot (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot (0.22.2-2) unstable; urgency=medium . * Change the way we remove testdata for better downstream support * Add dep on python3-distutils (Closes: #893775) python-certbot (0.22.2-1) unstable; urgency=medium . * New upstream release. python-certbot (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break the strict dependency relationship between certbot packages. python-certbot (0.21.1-1) unstable; urgency=high . * New upstream release. * Move d/copyright format to HTTPS python-certbot (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot (0.21.1-1) unstable; urgency=high . * New upstream release. * Move d/copyright format to HTTPS . python-certbot (0.20.0-3) unstable; urgency=medium . * Setup logrotation for certbot log files. (Closes: #873581, #881176) . python-certbot (0.20.0-2) unstable; urgency=low . * Add additional Breaks on py2 variants of libs. . python-certbot (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. . python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) python-certbot (0.20.0-3) unstable; urgency=medium . * Setup logrotation for certbot log files. (Closes: #873581, #881176) python-certbot (0.20.0-2) unstable; urgency=low . * Add additional Breaks on py2 variants of libs. python-certbot (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) python-certbot (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot (0.19.0-1) unstable; urgency=medium . * New upstream release. (Closes: #838548) . python-certbot (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch from python-sphinx to python3-sphinx . python-certbot (0.17.0-2) unstable; urgency=high . * Revert d/rules for systemd cleanup. (Closes: #872090) . python-certbot (0.17.0-1) unstable; urgency=medium . [ Mattia Rizzolo ] * d/control: rename git repository to python-certbot too . [ Harlan Lieberman-Berg ] * New upstream version 0.17.0 * Bump S-V to 4.0.1, changing Priority to optional. * Bump B-D on python-cryptography * Add very basic autopkgtest. * Refresh patches. * Fix merge failure. * Tweak d/rules for systemd cleanup, raise compat to 10. . python-certbot (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. . python-certbot (0.12.0-1) experimental; urgency=medium . * New upstream release. * Add python-ipdb as build dependency. * Drop unnecessary dependency on dh-systemd (Closes: #856239) . python-certbot (0.11.1-1) unstable; urgency=medium . * New upstream release. * Add .pc to gitignore * Drop python-psutil dep no longer needed python-certbot (0.18.2-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no changes needed. * Switch from python-sphinx to python3-sphinx python-certbot (0.17.0-2) unstable; urgency=high . * Revert d/rules for systemd cleanup. (Closes: #872090) python-certbot (0.17.0-1) unstable; urgency=medium . [ Mattia Rizzolo ] * d/control: rename git repository to python-certbot too . [ Harlan Lieberman-Berg ] * New upstream version 0.17.0 * Bump S-V to 4.0.1, changing Priority to optional. * Bump B-D on python-cryptography * Add very basic autopkgtest. * Refresh patches. * Fix merge failure. * Tweak d/rules for systemd cleanup, raise compat to 10. python-certbot (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. python-certbot (0.12.0-1) experimental; urgency=medium . * New upstream release. * Add python-ipdb as build dependency. python-certbot (0.11.1-1) unstable; urgency=medium . * New upstream release. * Add .pc to gitignore * Drop python-psutil dep no longer needed python-certbot-apache (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. python-certbot-apache (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.27.1-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.27.0-1) unstable; urgency=medium . * New upstream version 0.27.0 * Bump S-V; no changes needed * Add lintian-override for cross-python version dep. python-certbot-apache (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump deps on certbot, add acme dep explicitly * Bump S-V with R-R-R: no python-certbot-apache (0.25.0-2) unstable; urgency=medium . * Fix incorrect version dependency. python-certbot-apache (0.25.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 * Bump dep on certbot python-certbot-apache (0.24.0-2) unstable; urgency=medium . * Update team email address to tracker.d.o. (Closes: #899667) python-certbot-apache (0.24.0-1) unstable; urgency=medium . * New upstream version 0.24.0 * Bump S-V; no changes needed. python-certbot-apache (0.23.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-apache (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break strict dependency requirements. * Drop patches applied upstream. python-certbot-apache (0.21.1-1) unstable; urgency=high . * New upstream release. * Update Vcs-Git URL to be HTTPS. * Switch d/copyright URL to HTTPS. python-certbot-apache (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-apache (0.21.1-1) unstable; urgency=high . * New upstream release. * Update Vcs-Git URL to be HTTPS. * Switch d/copyright URL to HTTPS. . python-certbot-apache (0.20.0-3) unstable; urgency=medium . * Add version restriction on the Breaks of the dummy. . python-certbot-apache (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. . python-certbot-apache (0.20.0-1) unstable; urgency=low . * New upstream release. * Convert to python3! * Upgrade to debhelper 11. . python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.20.0-3) unstable; urgency=medium . * Add version restriction on the Breaks of the dummy. python-certbot-apache (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. python-certbot-apache (0.20.0-1) unstable; urgency=low . * New upstream release. * Convert to python3! * Upgrade to debhelper 11. python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-apache (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-certbot-apache (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx. * Bump S-V; no changes needed. * Drop unnecessary Testsuite header. . python-certbot-apache (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move experimental to unstable now that the freeze is over. * Upgrade to v4.0.1 of Debian policy . python-certbot-apache (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. . python-certbot-apache (0.12.0-1) experimental; urgency=medium . * New usptream release. . python-certbot-apache (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-apache (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx. * Bump S-V; no changes needed. * Drop unnecessary Testsuite header. python-certbot-apache (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move experimental to unstable now that the freeze is over. * Upgrade to v4.0.1 of Debian policy python-certbot-apache (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. python-certbot-apache (0.12.0-1) experimental; urgency=medium . * New usptream release. python-certbot-apache (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.28.0-1~deb9u1) stretch; urgency=medium . * This stretch update is to cure the problem caused by the deprecation and disabling of the upstream TLS-SNI-01 certificate verification protocol due to a security vulnerability. Note, the security vulnerability isn't in this package; rather, earlier versions of certbot are no longer functional due to changes in the interface that certbot uses to retrieve certificates. python-certbot-nginx (0.28.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.26.0-1) unstable; urgency=medium . * New upstream version 0.26.0 * Bump dependencies to match setup.py * Bump S-V; add R-R-R: no python-certbot-nginx (0.25.0-2) unstable; urgency=medium . * Bump version requirement for acme and release -2 python-certbot-nginx (0.25.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.25.0-1) unstable; urgency=medium . * New upstream version 0.25.0 python-certbot-nginx (0.23.0-2) unstable; urgency=medium . * Switch maintainer email to tracker.d.o (Closes: #899674) python-certbot-nginx (0.23.0-1) unstable; urgency=medium . * New upstream release. * Bump S-V; no chnages needed. python-certbot-nginx (0.23.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-certbot-nginx (0.22.0-1) unstable; urgency=medium . * New upstream release -- now with wildcards! * Break strict dependency requirement. python-certbot-nginx (0.21.1-1) unstable; urgency=high . * New upstream release. * Change Vcs-Git to use HTTPS. * Change d/copyright to use HTTPS python-certbot-nginx (0.21.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-nginx (0.21.1-1) unstable; urgency=high . * New upstream release. * Change Vcs-Git to use HTTPS. * Change d/copyright to use HTTPS . python-certbot-nginx (0.20.0-3) unstable; urgency=medium . * Add version restriction to Breaks/Replaces for dummy. (Closes: #886954) . python-certbot-nginx (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. . python-certbot-nginx (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. . python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.20.0-3) unstable; urgency=medium . * Add version restriction to Breaks/Replaces for dummy. (Closes: #886954) python-certbot-nginx (0.20.0-2) unstable; urgency=low . * Add transitional dummy package. python-certbot-nginx (0.20.0-1) unstable; urgency=low . * New upstream release. * Switch to python3! * Update to debhelper 11, bump S-V. python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.19.0-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . python-certbot-nginx (0.19.0-1) unstable; urgency=medium . * New upstream release. . python-certbot-nginx (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx; bump S-V without changes. * Drop unnecessary Testsuite. . python-certbot-nginx (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move to unstable from experimental, now that the freeze is over. * Update to latest Debian policy. . python-certbot-nginx (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. . python-certbot-nginx (0.12.0-1) experimental; urgency=medium . * New upstream release. . python-certbot-nginx (0.11.1-1) unstable; urgency=medium . * New upstream release. python-certbot-nginx (0.18.2-1) unstable; urgency=medium . * New upstream release. * Move to python3-sphinx; bump S-V without changes. * Drop unnecessary Testsuite. python-certbot-nginx (0.17.0-1) unstable; urgency=medium . * New upstream release. * Move to unstable from experimental, now that the freeze is over. * Update to latest Debian policy. python-certbot-nginx (0.14.2-1) experimental; urgency=medium . * Team upload. * New upstream release. * Add dep8 smoke test. python-certbot-nginx (0.12.0-1) experimental; urgency=medium . * New upstream release. python-certbot-nginx (0.11.1-1) unstable; urgency=medium . * New upstream release. python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high . * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default 404 page. (Closes: #918230) python-hypothesis (3.6.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann ] * Non-maintainer upload. * Backport fix from 3.12.0-1 to stretch. . [ Tristan Seligmann ] * Fix permuted python3-hypothesis and python-hypothesis-doc Depends stanzas (closes: #867435). python-josepy (1.1.0-2~deb9u1) stretch; urgency=medium . * Backport to stable as a dependency for python-acme. python-josepy (1.1.0-2~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. python-josepy (1.1.0-1) unstable; urgency=medium . * New upstream release. python-josepy (1.0.1-1) unstable; urgency=medium . * Initial release. (Closes: #888624) * To prevent breaking downstream libs that may be using python-acme, we also have to build the Python 2 version. python-josepy (1.0.1-1~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. pyzo (4.3.1-1+deb9u1) stretch; urgency=medium . [ Andreas Beckmann] * Non-maintainer upload. * Backport dependency fix from 4.4.3-1.2. . [ Adrian Bunk ] * Add the missing dependency on python3-pkg-resources, thanks to Julien Cervelle. (Closes: #917085) qemu (1:2.8+dfsg-6+deb9u5) stretch-security; urgency=medium . * Backport SSBD support (Closes: #908682) * CVE-2018-10839 (Closes: #910431) * CVE-2018-17962 (Closes: #911468) * CVE-2018-17963 (Closes: #911469) r-cran-readxl (0.1.1-1+deb9u2) stretch; urgency=high . * src/libxls/ole.h: Updated from readxl upstream (Closes: #920804) * libxls/xlstool.h: Idem * ole.c: Idem * xls.c: Idem * xlstool.c: Idem . * This addresses CVE-2018-20450 CVE-2018-20452 with corresponding upstream patch in libxls and readxl roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high . * Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of