apt (1.4) unstable; urgency=medium . * The April Fools' Release . [ Julian Andres Klode ] * Ignore \.ucf-[a-z]+$ like we do for \.dpkg-[a-z]+$ * Fix mistake in CHANGEPATH comment example . [ Chris Lamb ] * auto-removal: Ignore running kernel if attempting a reproducible build (Closes: #857632) . [ Joe Dalton ] * Danish program translation update (Closes: #856723) . [ David Kalnischkies ] * Fix and avoid quoting in CommandLine::AsString (LP: #1672710) * Ignore AutomaticRemove conffile option in upgrade (Closes: #855891) atom4 (4.1-7) unstable; urgency=low . * Update to source format 3.0 (quilt) * Update to Standards-Version: 3.9.8 * Migrate broken build system to SCons (Closes: #859498) - Fix compile errors. - Fix compile warnings. * Upgrade to debian/compat 9. eject (2.1.5+deb1+cvs20081104-13.2) unstable; urgency=high . * Non-maintainer upload. * CVE-2017-6964: Check the return values when dropping privileges (Closes: #858872) execnet (1.4.1-3.1) unstable; urgency=medium . * Non-maintainer upload. * Disable tests that are often failing (Closes: #854494, #858189). freetype (2.6.3-3.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2016-10244: Heap-buffer-overflow src/type1/t1load.c (parse_charstrings): Reject fonts that don't contain glyph names. (Closes: #856971) golang-1.7 (1.7.4-2) unstable; urgency=medium . * Backport CL 37964 for tzdata 2017a changes (Closes: #859583) gtk-sharp2 (2.12.40-1.1) unstable; urgency=medium . * Non-maintainer upload. . [ Andreas Henriksson ] * debian/patches/no-void-cachetype.patch: Do not generate invalid syntax when certain methods return void (Closes: #849932) . [ Simon McVittie ] * Add a longer changelog entry and some patch metadata for the fix above * Run dh_cligacpolicy with umask 022 to avoid installing some files with 0664, 0775 permissions (Lintian warning) * Relax gtk-sharp2 dependencies so they can be satisfied by a binNMU (Lintian error) horizon (3:10.0.1-1) unstable; urgency=high . [ Ivan Udovichenko ] * Sync to the latest version from stable/newton. . [ Thomas Goirand ] * CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch: Remove dangerous safestring declaration (Closes: #859559). * Updated Italian translation of debconf messages (Closes: #846931). imagemagick (8:6.9.7.4+dfsg-3) unstable; urgency=medium . * Bug fix: "fails to upgrade wheezy jessie stretch", thanks to Andreas Beckmann (Closes: #847282). * Fix man pages typo due to bad pattern in debian/rules (Closes: #859495). * Add my debian address. kpatch (0.3.2-3.1) unstable; urgency=medium . * Non-maintainer upload. * Fixes for Linux 4.9: (Closes: #851750) - Dropped patch kmod-core-fix-stacktrace_ops-address-function-protot.patch - Added patch kmod-core-use-save_stack_trace_tsk-backport.patch: backport of upstream commit 586feb40fe116b70d3ac752359706c3e1fafe4ea. Thanks to James Beck for the initial revision of this patch. ksysguard (4:5.8.6-1) unstable; urgency=medium . * New upstream release (5.8.6) ksysguard (4:5.8.5-1) experimental; urgency=medium . * New upstream release (5.8.5). libindicate (0.6.92-4) unstable; urgency=medium . * QA upload. . [ Andreas Beckmann ] * libindicate-gtk3-dev: Depend on libindicate-gtk3-3 instead of libindicate-gtk3. (Closes: #715066) libsndfile (1.0.27-2) unstable; urgency=medium . * Backported fixes for buffer-write overflows from 1.0.28. Thanks to Erik de Castro Lopo * Added myself to uploaders linux-signed (4.4) unstable; urgency=medium . * Update to linux version 4.9.18-1 logback (1:1.1.9-3) unstable; urgency=medium . * Team upload. * The patch for CVE-2017-5929 was incomplete. Add CVE-2017-5929-part2.patch and really fix the issue. (Closes: #857343) * Remove all test cases from CVE-2017-5929.patch and only apply the minimal changes to make it easier to review the package. Tests are disabled anyway. logback (1:1.1.9-2) unstable; urgency=medium . * Team upload. * Fix CVE-2017-5929: It was discovered that logback, a flexible logging library for Java, would deserialize data from untrusted sockets. This issue has been resolved by adding a whitelist to use only trusted classes. (Closes: #857343) Thanks to Fabrice Dagorn for the report. logback (1:1.1.9-2~exp1) experimental; urgency=medium . * Team upload * Upload to experimental * Build and ship logback-access.jar: + Un-ignore the logback-access artifact + Patch logback-access to comply with the servlet 3.1 API + B-D on tomcat 8 and jetty 9 and force Debian's versions in d/maven.rules ngs-sdk (1.3.0-2) unstable; urgency=medium . * Fix install dir by using DEB_HOST_MULTIARCH instead of DEB_BUILD_GNU_TYPE (thanks for the patch to Graham Inggs ) Closes: #859257 ocfs2-tools (1.8.4-4) unstable; urgency=medium . * Add fix for sysfs filename (Closes: #858623) packer (0.10.2+dfsg-4) unstable; urgency=medium . * deb/rules: disable a flaky test in packer/rpc/mux_broker_test.go (Closes: #858018). plasma-desktop (4:5.8.6-1) unstable; urgency=medium . * New upstream release (5.8.6) plasma-desktop (4:5.8.5-1) experimental; urgency=medium . * New upstream release (5.8.5). plasma-integration (5.8.6-1) unstable; urgency=medium . * New upstream release (5.8.6) * Update build-deps and deps with the info from cmake * Add new patch: Drop-the-patch-version-for-breeze.patch plasma-integration (5.8.5-2) experimental; urgency=medium . * Team upload * Bump minimum breeze-dev requirement to 4:5.8.5 to match new requirement plasma-integration (5.8.5-1) experimental; urgency=medium . * New upstream release (5.8.5). python-django (1:1.10.7-1) unstable; urgency=medium . * New upstream security release: . - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs. . Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. . Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. (Closes: #859515) . - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve(). . A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. . Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516) python-tz (2016.7-0.3) unstable; urgency=medium . * Non-maintainer upload. * Apply patch from upstream to assume tzdata/2017a abbreviations for timezones. Thanks to Graham Inggs for forwarding this to the BTS. (Closes: #858133) - Build-depend on tzdata 2017a, since the tests will now fail in the opposite way with older tzdata qtwebchannel-opensource-src (5.7.1-2) unstable; urgency=medium . [ Lisandro Damián Nicanor Pérez Meyer ] * Team upload. * Do not depend upon npm (Closes: #857994). It is used just by some examples and currently not on all archs, so while removing it is not the ideal solution is the only one we have available right now. u-boot (2016.11+dfsg1-4) unstable; urgency=medium . [ Vagrant Cascadian ] * [armel] Apply a patch from upstream to fix openrd targets which failed to boot, and re-enable the openrd targets (Closes: #856441). Thanks to Albert ARIBAUD for the patch, Martin Michlmayr for pointing out the patch, and Phil Hands and Rick Thomas for testing on various openrd platforms. . [ Martin Michlmayr ] * u-boot-rpi: typo in README.Debian (Closes: #858574). wine (1.8.7-2) unstable; urgency=medium . * Update appstream data with 1.8.7 release information. wine (1.8.7-1) experimental; urgency=medium . * New upstream release 1.8.7, released Feb 28, 2017. - Various bug fixes. - A few more cards added to the GPU description table. - Turkish translation updates. * Refresh patches. REMOVED: openssh-blacklist 0.4.1+nmu1 REMOVED: openvpn-blacklist 0.5+nmu1