<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Debian Backports</title> <link rel="stylesheet" href="style.css" type="text/css" /> <link rel="stylesheet" href="local.css" type="text/css" /> <link rel="alternate" type="application/rss+xml" title="Debian Backports (RSS feed)" href="index.rss" /><link rel="alternate" type="application/atom+xml" title="Debian Backports (Atom feed)" href="index.atom" /> </head> <body> <div class="pageheader"> <div class="header"> <span> <span class="parentlinks"> </span> <span class="title"> Debian Backports </span> </span><!--.header--> </div> </div> <!-- .pageheader --> <div id="sidebar"> <h1>Main</h1> <ul> <li><span class="selflink">Home</span></li> <li><a href="./News/">News</a></li> <li><a href="./Instructions/">Instructions</a></li> <li><a href="./Packages/">Packages</a></li> <li><a href="./Mailinglists/">Mailinglists</a></li> <li><a href="./Contribute/">Contribute</a></li> </ul> <h1>Documentation</h1> <ul> <li><a href="./FAQ/">FAQ</a></li> </ul> <h1>Miscellaneous</h1> <ul> <li>Uploaders <ul> <li><a href="/changes/bullseye-backports-sloppy.html">Bullseye-sloppy</a></li> <li><a href="/changes/bullseye-backports.html">Bullseye</a></li> <li><a href="/changes/bookworm-backports.html">Bookworm</a></li> </ul> </li> <li><a href="https://ftp-master.debian.org/backports-new.html">NEW Queue</a></li> <li>Diffstats</li> <li><ul> <li><a href="./bullseye-backports/overview/">bullseye</a></li> <li><a href="./bullseye-backports-sloppy/overview/">bullseye-sloppy</a></li> <li><a href="./bookworm-backports/overview/">bookworm</a></li> </ul> </li> <li><p><a href="mailto:backports-team@debian.org">Feedback</a></p></li> </ul> </div> <div id="content"> <h2>Introduction</h2> <p>You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.</p> <p>Backports are packages taken from the next Debian release (called &quot;testing&quot;), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)</p> <p>Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!</p> <p>It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.</p> <h2>Where to start</h2> <ul> <li>Users should start at the <a href="./Instructions/">Instructions</a> page.</li> <li>Contributors should start <a href="./Contribute/">Contribute</a> page.</li> <li>If you want to know which packages are available via backports.debian.org look at the <a href="./Packages/">Packages</a> page.</li> </ul> <h2><a href="./News/">News</a></h2> <div class="feedlink"> <a class="feedbutton" type="application/rss+xml" rel="alternate" title="Debian Backports (RSS feed)" href="index.rss">RSS</a> <a class="feedbutton" type="application/atom+xml" rel="alternate" title="Debian Backports (Atom feed)" href="index.atom">Atom</a> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/BSA-121_Security_Update_for_python-django/">BSA-121 Security Update for python-django</a> </span> </div> <div class="inlinecontent"> <pre><code>Colin Watson uploaded new packages for python-django which fixed the following security problems: CVE-2024-45230 Potential denial-of-service vulnerability in django.utils.html.urlize(). urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231 Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. CVE-2024-53907 Potential DoS in django.utils.html.strip_tags. The strip_tags() method and striptags template filter were subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. CVE-2024-53908 Potential SQL injection in HasKey(lhs, rhs) on Oracle. Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was subject to SQL injection if untrusted data is used as a lhs value. Applications that use the jsonfield.has_key lookup through the __ syntax are unaffected. CVE-2024-56374 Potential denial-of-service vulnerability in IPv6 validation. A lack of upper bound limit enforcement in strings passed when performing IPv6 validation could have led to a potential denial-of-service (DoS) attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField form field, which has now been updated to define a max_length of 39 characters. The GenericIPAddressField model field was not affected. For the bookworm-backports distribution the problems have been fixed in version 3:4.2.18-1~bpo12+1. </code></pre> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Wed Feb 5 09:39:21 2025</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/BSA-120_Security_Update_for_mosquitto/">BSA-120 Security Update for mosquitto</a> </span> </div> <div class="inlinecontent"> <pre><code>Philippe Coval uploaded new packages for mosquitto which fixed the following security problems: CVE-2024-8376 In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of &quot;CONNECT&quot;, &quot;DISCONNECT&quot;, &quot;SUBSCRIBE&quot;, &quot;UNSUBSCRIBE&quot; and &quot;PUBLISH&quot; packets. For the bookworm-backports distribution the problems have been fixed in version 2.0.20-1~bpo12+1. </code></pre> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Tue Oct 22 00:00:00 2024</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/Removal_of_buster-backports_from_the_debian_archive/">Removal of buster-backports from the debian archive</a> </span> </div> <div class="inlinecontent"> <p>Debian Backports does not support LTS [1], therefore buster-backports is unsupported since August 1st 2022.</p> <p>Despite of the documentation buster-backport was still available on the mirrors, that changed recently with the archival of buster-backports. Unfortunately we missed to create an announcement in 2022 which led so some surprise. Please take this as the missing announcement.</p> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Tue Apr 16 21:00:07 2024</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/BSA-117_Security_Update_for_xerial-sqlite-jdbc/">BSA-117 Security Update for xerial-sqlite-jdbc</a> </span> </div> <div class="inlinecontent"> <pre><code>Pierre Gruet uploaded new packages for xerial-sqlite-jdbc which fixed the following security problem: CVE-2023-32697 It was discovered that xerial-sqlite-jdbc had a remote code execution vulnerability via JDBC URL, which was caused by a predictable UUID choice. For the bullseye-backports distribution the problem has been fixed in version 3.36.0.3+dfsg1-3~bpo11+2. </code></pre> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Mon Jul 17 21:14:45 2023</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/BSA-118_Security_Update_for_mosquitto/">BSA-118 Security Update for mosquitto</a> </span> </div> <div class="inlinecontent"> <pre><code>Philippe Coval uploaded new packages for mosquitto which fixed the following security problems: CVE-2021-34434 In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. For the bookworm-backports distribution the problems have been fixed in version 2.0.15-2~bpo12+1. </code></pre> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Mon Aug 16 00:00:00 2021</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/bullseye-backports_et_all/">bullseye-backports et all</a> </span> </div> <div class="inlinecontent"> <h2>bullseye-backports and buster-backports-sloppy started</h2> <p>From now on you can upload packages to those two distributions. Please ensure to follow the <a href="https://backports.debian.org/Contribute/">rules</a> of those distributions (yes, that means you can&#39;t upload packages to bullseye-backports now that are not in testing ;))</p> <h2>stretch-backports discontinued</h2> <p>Following the <a href="https://backports.debian.org/Instructions/">rules</a> oldstable backports was discontinued some time ago, but we never announced that offically. Please do not upload anything to oldstable backports.</p> <h2>security uploads</h2> <p>Announcing security updates didn&#39;t worked well in the past. We therefore decided to change the mechanism security announcements work. Every Debian contributor (DM/DD) can now send a signed mail to the debian-backports-announce mailinglist. Please follow the <a href="https://backports.debian.org/Contribute/#index4h2">template</a> when doing so. The contribution document also shows how to reserve a BSA by doing a merge request to the website.</p> <h2>new backports maintainers</h2> <p>I am happy to announce that Thorsten Glaser (tg) and Micha Lenk (micha) will join us a backports ftpmasters. They are not yet onboarded, but that will happen soon. Please give them a warm welcome.</p> <h2>updates for the website</h2> <p>If you have something to contribute for our webseite, feel free to create an issue or (even better) create a merge request against https://salsa.debian.org/backports-team/backports-website</p> <p>Thanks</p> <p>Alex - backports ftpmaster</p> <p>[1] https://backports.debian.org/Contribute/ [2] https://backports.debian.org/Instructions/ [3] https://backports.debian.org/Contribute/#index4h2</p> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Fri Aug 6 21:46:49 2021</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/buster-backports/">buster-backports</a> </span> </div> <div class="inlinecontent"> <p>Now that buster was released we are pleased to announce the availability of buster-backports and stretch-backports-sloppy.</p> <h2>What to upload where</h2> <p> As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:</p> <table> <thead> <tr> <th>Source Distribution </th> <th> Backports Distribution </th> <th> Sloppy Distribution</th> </tr> </thead> <tbody> <tr> <td>buster </td> <td> stretch-backports </td> <td> -</td> </tr> <tr> <td>bullseye </td> <td> buster-backports </td> <td> stretch-backports-sloppy</td> </tr> </tbody> </table> <h2>Backports and LTS</h2> <p>Please keep in mind that backports doesn&#39;t follow LTS. Which means that we will drop support for oldstable (stretch) around one year after the release of buster. Thats in sync with the - official - security support for <a href="https://www.debian.org/security/faq#lifespan">oldstable</a></p> <h2>BSA Security Advisories</h2> <p>We plan to switch the security-announce mailinglist to keyring based authentication, which means that every DD and DM is able to publish its own BSA advisories. We will send out a seperate announcement after the switch happened - and of course update the <a href="https://backports.debian.org/Contribute/#index4h2">documentation</a></p> <h2>Statistics</h2> <p> For packages backported from buster, so far we have 1624 different source packages in stretch-backports. Those 1624 source packages took 2821 uploads from 252 uploaders to become reality.</p> <h2>Thanks</h2> <p> Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.</p> <p>Happy Backporting!</p> <p>Alex and Rhonda - backports.debian.org ftpmasters</p> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Tue Jul 16 19:51:07 2019</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/BSA-116_Security_Update_for_openvpn/">BSA-116 Security Update for openvpn</a> </span> </div> <div class="inlinecontent"> <pre><code>Bernhard Schmidt uploaded new packages for openvpn which fixed the following security problems: CVE-2017-7479 It was discovered that openvpn did not properly handle the rollover of packet identifiers. This would allow an authenticated remote attacker to cause a denial-of-service via application crash. CVE-2017-7508 Guido Vranken discovered that openvpn did not properly handle specific malformed IPv6 packets. This would allow a remote attacker to cause a denial-of-service via application crash. CVE-2017-7520 Guido Vranken discovered that openvpn did not properly handle clients connecting to an HTTP proxy with NTLMv2 authentication. This would allow a remote attacker to cause a denial-of-service via application crash, or potentially leak sensitive information like the user&#39;s proxy password. CVE-2017-7521 Guido Vranken discovered that openvpn did not properly handle some x509 extensions. This would allow a remote attacker to cause a denial-of-service via application crash. For the jessie-backports distribution the problems have been fixed in version 2.4.0-6+deb9u1~bpo8+1. </code></pre> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Tue Jul 4 21:15:59 2017</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/BSA-115_Security_Update_for_salt/">BSA-115 Security Update for salt</a> </span> </div> <div class="inlinecontent"> <pre><code>Al Nikolov uploaded new package for salt which fixed the following security problem: CVE-2017-8109 The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients). For the jessie-backports distribution the problems have been fixed in version 2016.11.2+ds-1~bpo8+2. </code></pre> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Mon Jun 26 22:16:01 2017</span> </span> </div> </div> <div class="inlinepage"> <div class="inlineheader"> <span class="header"> <a href="./news/stretch-backports/">stretch-backports</a> </span> </div> <div class="inlinecontent"> <p> With the release of stretch we are pleased to open the doors for stretch-backports and jessie-backports-sloppy. \o/</p> <p>As usual with a new release we will change a few things for the backports service.</p> <h2>What to upload where</h2> <p> As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:</p> <table> <thead> <tr> <th>Source Distribution </th> <th> Backports Distribution </th> <th> Sloppy Distribution</th> </tr> </thead> <tbody> <tr> <td>buster </td> <td> stretch-backports </td> <td> jessie-backports-sloppy</td> </tr> <tr> <td>stretch </td> <td> jessie-backports </td> <td> -</td> </tr> </tbody> </table> <h2>Deprecation of LTS support for backports</h2> <p>We started supporting backports as long as there is LTS support as an experiment. Unfortunately it didn&#39;t worked, most maintainers didn&#39;t wanted to support oldoldstable-backports (squeeze) for the lifetime of LTS. So things started to rot in squeeze and most packages didn&#39;t received updates. After long discussions we decided to deprecate LTS support for backports. From now on squeeze-backports(-sloppy) is closed and will not receive any updates. Expect it to get removed from the mirrors and moved to archive in the near future.</p> <h2>BSA handling</h2> <p>We - the backports team - didn&#39;t scale well in processing BSA requests. To get things better in the future we decided to change the process a little bit. If you upload a package which fixes security problems please fill out the BSA template and create a ticket in the rt tracker (see https://backports.debian.org/Contribute/#index3h2 for details).</p> <h2>Stretching the rules</h2> <p>From time to time its necessary to not follow the backports rules, like a package needs to be in testing or a version needs to be in Debian. If you think you have one of those cases, please talk to us on the list <strong>before</strong> upload the package.</p> <h2>Thanks</h2> <p> Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.</p> <p> We wish you a happy stretch <img src="./smileys/smile.png" alt=":)" /> Alex, on behalf of the Backports Team</p> </div> <div class="inlinefooter"> <span class="pagedate"> Posted <span class="date">Mon Jun 26 20:26:14 2017</span> </span> </div> </div> </div> <div id="footer" class="pagefooter"> <div id="pageinfo"> <div id="backlinks"> Links: <a href="./sidebar/">sidebar</a> </div><!-- #backlinks --> <div class="pagedate"> Last edited <span class="date">Wed Mar 27 09:13:11 2013</span> <!-- Created <span class="date">Thu May 20 12:49:42 2010</span> --> from https://salsa.debian.org/backports-team/backports-website </div> </div><!-- #pageinfo --> <!-- from Debian Backports --> </div><!-- .pagefooter #footer --> </body> </html>