Branches for Lucid

Author: Darryl L. Miles
Revision Date: 2015-06-02 17:16:31 UTC

maint/bzr_push.sh Auto copy, commit and push for: control.snapshot (ubuntu/lucid)

Author: Stefan Bader
Revision Date: 2015-04-28 14:23:23 UTC

Bump linux-ec2 ABI to 377 for stable release

Author: Stefan Bader
Revision Date: 2015-04-28 14:23:23 UTC

Bump linux-ec2 ABI to 377 for stable release

Author: Stefan Bader
Revision Date: 2015-04-28 14:23:23 UTC

Bump linux-ec2 ABI to 377 for stable release

Author: Luis Henriques
Revision Date: 2015-04-28 10:33:15 UTC

Bump ABI

Author: Luis Henriques
Revision Date: 2015-04-28 10:33:15 UTC

Bump ABI

Author: Luis Henriques
Revision Date: 2015-04-28 10:27:52 UTC

Start new release (and bump ABI)

Author: Luis Henriques
Revision Date: 2015-04-28 10:27:52 UTC

Start new release (and bump ABI)

Author: Luis Henriques
Revision Date: 2015-04-28 10:27:52 UTC

Start new release (and bump ABI)

Author: Luis Henriques
Revision Date: 2015-04-27 17:47:44 UTC

[ Luis Henriques ]

Bump ABI

Author: Luis Henriques
Revision Date: 2015-04-27 17:47:44 UTC

[ Luis Henriques ]

Bump ABI

Author: Adam Conrad
Revision Date: 2015-04-26 16:44:56 UTC

New upstream release with yet another urgent DST change for Egypt.

Author: Adam Conrad
Revision Date: 2015-04-26 16:44:56 UTC

New upstream release with yet another urgent DST change for Egypt.

Author: Adam Conrad
Revision Date: 2015-04-26 16:44:56 UTC

New upstream release with yet another urgent DST change for Egypt.

Author: Marc Deslauriers
Revision Date: 2015-04-02 11:27:53 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  overflow in _asn1_ltostr
  - debian/patches/CVE-2015-2806.patch: introduce LTOSTR_MAX_SIZE and use
    in lib/coding.c, lib/decoding.c, lib/element.c, lib/parser_aux.c,
    lib/parser_aux.h.
  - CVE-2015-2806

Author: Marc Deslauriers
Revision Date: 2015-04-02 11:27:53 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  overflow in _asn1_ltostr
  - debian/patches/CVE-2015-2806.patch: introduce LTOSTR_MAX_SIZE and use
    in lib/coding.c, lib/decoding.c, lib/element.c, lib/parser_aux.c,
    lib/parser_aux.h.
  - CVE-2015-2806

Author: Marc Deslauriers
Revision Date: 2015-04-01 14:09:19 UTC

* SECURITY REGRESSION: regression when saving TIFF files with compression
  predictor (LP: #1439186)
  - debian/patches/CVE-2014-8128-5.patch: disable until proper upstream
    fix is available.

Author: Marc Deslauriers
Revision Date: 2015-04-01 14:09:19 UTC

* SECURITY REGRESSION: regression when saving TIFF files with compression
  predictor (LP: #1439186)
  - debian/patches/CVE-2014-8128-5.patch: disable until proper upstream
    fix is available.

Author: Marc Deslauriers
Revision Date: 2015-03-26 08:55:36 UTC

* SECURITY UPDATE: sidechannel attack on Elgamal
  - debian/patches/24-CVE-2014-3591.diff: use ciphertext blinding in
    cipher/elgamal.c.
  - CVE-2014-3591
* SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
  - debian/patches/25-CVE-2015-0837.diff: avoid timing variations in
    mpi/mpi-pow.c, mpi/mpiutil.c, src/mpi.h.
  - CVE-2015-0837

Author: Marc Deslauriers
Revision Date: 2015-03-26 08:55:36 UTC

* SECURITY UPDATE: sidechannel attack on Elgamal
  - debian/patches/24-CVE-2014-3591.diff: use ciphertext blinding in
    cipher/elgamal.c.
  - CVE-2014-3591
* SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
  - debian/patches/25-CVE-2015-0837.diff: avoid timing variations in
    mpi/mpi-pow.c, mpi/mpiutil.c, src/mpi.h.
  - CVE-2015-0837

Author: Marc Deslauriers
Revision Date: 2015-03-20 09:56:50 UTC

* SECURITY UPDATE: signature forgery issue
  - debian/patches/CVE-2015-0282.patch: make sure the signature
    algorithms match in lib/gnutls_algorithms.c, lib/gnutls_algorithms.h,
    lib/x509/privkey.c, lib/x509/verify.c, lib/x509/x509.c,
    lib/x509/x509_int.h.
  - CVE-2015-0282
* SECURITY UPDATE: certificate algorithm consistency issue
  - debian/patches/CVE-2015-0294.patch: make sure the two signature
    algorithms match on cert import in lib/x509/x509.c.
  - CVE-2015-0294
* SECURITY UPDATE: missing date/time checks on CA certificates
  - debian/patches/CVE-2014-8155.patch: perform time verification on
    trusted certificate list in lib/includes/gnutls/x509.h,
    lib/x509/verify.c.
  - CVE-2014-8155

Author: Marc Deslauriers
Revision Date: 2015-03-20 09:56:50 UTC

* SECURITY UPDATE: signature forgery issue
  - debian/patches/CVE-2015-0282.patch: make sure the signature
    algorithms match in lib/gnutls_algorithms.c, lib/gnutls_algorithms.h,
    lib/x509/privkey.c, lib/x509/verify.c, lib/x509/x509.c,
    lib/x509/x509_int.h.
  - CVE-2015-0282
* SECURITY UPDATE: certificate algorithm consistency issue
  - debian/patches/CVE-2015-0294.patch: make sure the two signature
    algorithms match on cert import in lib/x509/x509.c.
  - CVE-2015-0294
* SECURITY UPDATE: missing date/time checks on CA certificates
  - debian/patches/CVE-2014-8155.patch: perform time verification on
    trusted certificate list in lib/includes/gnutls/x509.h,
    lib/x509/verify.c.
  - CVE-2014-8155

Author: Marc Deslauriers
Revision Date: 2015-03-19 09:57:59 UTC

* SECURITY UPDATE: denial of service and possible memory corruption via
  malformed EC private key
  - debian/patches/CVE-2015-0209.patch: fix use after free in
    crypto/ec/ec_asn1.c.
  - debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
    freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
  - CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
  - debian/patches/CVE-2015-0286.patch: handle boolean types in
    crypto/asn1/a_type.c.
  - CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
  - debian/patches/CVE-2015-0287.patch: free up structures in
    crypto/asn1/tasn_dec.c.
  - CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
  - debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
    crypto/x509/x509_req.c.
  - CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
  PKCS#7 parsing
  - debian/patches/CVE-2015-0289.patch: handle missing content in
    crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
  - CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
  decoding
  - debian/patches/CVE-2015-0292.patch: prevent underflow in
    crypto/evp/encode.c.
  - CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
  - debian/patches/CVE-2015-0293.patch: check key lengths in
    ssl/s2_lib.c, ssl/s2_srvr.c.
  - debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
    ssl/s2_srvr.c.
  - CVE-2015-0293

Author: Marc Deslauriers
Revision Date: 2015-03-19 09:57:59 UTC

* SECURITY UPDATE: denial of service and possible memory corruption via
  malformed EC private key
  - debian/patches/CVE-2015-0209.patch: fix use after free in
    crypto/ec/ec_asn1.c.
  - debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
    freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
  - CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
  - debian/patches/CVE-2015-0286.patch: handle boolean types in
    crypto/asn1/a_type.c.
  - CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
  - debian/patches/CVE-2015-0287.patch: free up structures in
    crypto/asn1/tasn_dec.c.
  - CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
  - debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
    crypto/x509/x509_req.c.
  - CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
  PKCS#7 parsing
  - debian/patches/CVE-2015-0289.patch: handle missing content in
    crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
  - CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
  decoding
  - debian/patches/CVE-2015-0292.patch: prevent underflow in
    crypto/evp/encode.c.
  - CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
  - debian/patches/CVE-2015-0293.patch: check key lengths in
    ssl/s2_lib.c, ssl/s2_srvr.c.
  - debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
    ssl/s2_srvr.c.
  - CVE-2015-0293

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:33:52 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:33:52 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-12 12:21:20 UTC

* SECURITY UPDATE: arbitrary file access via TZ
  - configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in,
    pathnames.h.in, plugins/sudoers/env.c: sanity check TZ env variable.
  - http://www.sudo.ws/repos/sudo/rev/650ac6938b59
  - http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0
  - http://www.sudo.ws/repos/sudo/rev/91859f613b88
  - http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0
  - CVE-2014-9680

Author: Marc Deslauriers
Revision Date: 2015-03-12 12:21:20 UTC

* SECURITY UPDATE: arbitrary file access via TZ
  - configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in,
    pathnames.h.in, plugins/sudoers/env.c: sanity check TZ env variable.
  - http://www.sudo.ws/repos/sudo/rev/650ac6938b59
  - http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0
  - http://www.sudo.ws/repos/sudo/rev/91859f613b88
  - http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0
  - CVE-2014-9680

Author: Tyler Hicks
Revision Date: 2015-03-04 16:26:45 UTC

* SECURITY UPDATE: Mount passphrase wrapped with a default salt value
  - src/libecryptfs/key_management.c, src/include/ecryptfs.h: Generate a
    random salt when wrapping the mount passphrase.
  - src/pam_ecryptfs/pam_ecryptfs.c: If a user has a mount passphrase that was
    wrapped using the default salt, their mount passphrase will be rewrapped
    using a random salt when they log in with their password.
  - src/libecryptfs/key_management.c: Create a temporary file when creating
    a new wrapped-passphrase file and copy it to its final destination after
    the file has been fully synced to disk (LP: #1020902)
  - CVE-2014-9687

Author: Tyler Hicks
Revision Date: 2015-03-04 16:26:45 UTC

* SECURITY UPDATE: Mount passphrase wrapped with a default salt value
  - src/libecryptfs/key_management.c, src/include/ecryptfs.h: Generate a
    random salt when wrapping the mount passphrase.
  - src/pam_ecryptfs/pam_ecryptfs.c: If a user has a mount passphrase that was
    wrapped using the default salt, their mount passphrase will be rewrapped
    using a random salt when they log in with their password.
  - src/libecryptfs/key_management.c: Create a temporary file when creating
    a new wrapped-passphrase file and copy it to its final destination after
    the file has been fully synced to disk (LP: #1020902)
  - CVE-2014-9687

Author: Serge Hallyn
Revision Date: 2014-09-22 14:39:06 UTC

* d/p/vdeterm-terminal-reset.patch: * Fix bug when vdeterm exits too early
  and improperly resets the terminal (LP: #804647)
* d/p/fix-splitpacket-bug.patch: attempt to backport the fix to the
  splitpacket() bug from the upstream svn fix. (LP: #629439)

Author: Marc Deslauriers
Revision Date: 2015-02-25 09:19:02 UTC

* SECURITY UPDATE: getaddrinfo writes to random file descriptors under
  high load
  - debian/patches/any/cvs-resolv-reuse-fd.diff: reload file descriptor
    after calling reopen in resolv/res_send.c.
  - CVE-2013-7423
* SECURITY UPDATE: denial of service via endless loop in getaddr_r
  - debian/patches/any/cvs-getnetbyname.diff: iterate over alias names in
    resolv/nss_dns/dns-network.c.
  - CVE-2014-9402

Author: Marc Deslauriers
Revision Date: 2015-02-25 09:19:02 UTC

* SECURITY UPDATE: getaddrinfo writes to random file descriptors under
  high load
  - debian/patches/any/cvs-resolv-reuse-fd.diff: reload file descriptor
    after calling reopen in resolv/res_send.c.
  - CVE-2013-7423
* SECURITY UPDATE: denial of service via endless loop in getaddr_r
  - debian/patches/any/cvs-getnetbyname.diff: iterate over alias names in
    resolv/nss_dns/dns-network.c.
  - CVE-2014-9402

Author: Marc Deslauriers
Revision Date: 2015-02-24 11:22:14 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  multiple security issues
  - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
    quantity of upstream commits to fix multiple security issues.
  - CVE-2014-9656
  - CVE-2014-9657
  - CVE-2014-9658
  - CVE-2014-9660
  - CVE-2014-9661
  - CVE-2014-9663
  - CVE-2014-9664
  - CVE-2014-9666
  - CVE-2014-9667
  - CVE-2014-9669
  - CVE-2014-9670
  - CVE-2014-9671
  - CVE-2014-9672
  - CVE-2014-9673
  - CVE-2014-9674
  - CVE-2014-9675

Author: Marc Deslauriers
Revision Date: 2015-02-24 11:22:14 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  multiple security issues
  - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
    quantity of upstream commits to fix multiple security issues.
  - CVE-2014-9656
  - CVE-2014-9657
  - CVE-2014-9658
  - CVE-2014-9660
  - CVE-2014-9661
  - CVE-2014-9663
  - CVE-2014-9664
  - CVE-2014-9666
  - CVE-2014-9667
  - CVE-2014-9669
  - CVE-2014-9670
  - CVE-2014-9671
  - CVE-2014-9672
  - CVE-2014-9673
  - CVE-2014-9674
  - CVE-2014-9675

Author: Marc Deslauriers
Revision Date: 2015-02-16 13:48:39 UTC

* SECURITY UPDATE: heap overflow via block group descriptor information
  - limit first_meta_bg in lib/ext2fs/closefs.c, lib/ext2fs/openfs.c.
  - https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
  - CVE-2015-0247
* SECURITY UPDATE: buffer overflow in closefs()
  - properly check against fs->desc_blocks in lib/ext2fs/closefs.c.
  - https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a
  - CVE-2015-1572

Author: Marc Deslauriers
Revision Date: 2015-02-20 08:23:55 UTC

* Update ca-certificates database to 20141019 (LP: #1423904):
  - backport changes from the Ubuntu 15.04 20141019 package

Author: Marc Deslauriers
Revision Date: 2015-02-20 08:23:55 UTC

* Update ca-certificates database to 20141019 (LP: #1423904):
  - backport changes from the Ubuntu 15.04 20141019 package

Author: Marc Deslauriers
Revision Date: 2015-02-16 13:48:39 UTC

* SECURITY UPDATE: heap overflow via block group descriptor information
  - limit first_meta_bg in lib/ext2fs/closefs.c, lib/ext2fs/openfs.c.
  - https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
  - CVE-2015-0247
* SECURITY UPDATE: buffer overflow in closefs()
  - properly check against fs->desc_blocks in lib/ext2fs/closefs.c.
  - https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a
  - CVE-2015-1572

Author: chris pollock
Revision Date: 2015-02-08 07:54:07 UTC

[ Marc Deslauriers ]
* Updated to 0.98.6 to fix security issues, including CVE-2014-9328.
  (LP: #1420819)
* Removed upstreamed patches:
  - d/p/0002-Add-an-additional-n-after-the-number-in-the-pidfile.patch
  - d/p/0017-Bump-.so-version-number.patch

[ Chris Pollock ]
* Drop dh_autoreconf from build-depends
* Remove use of dh_autoreconf from debian/rules
* Adjust list of no LLVM architectures in debian/rules to include powerpc
  to avoid FTBFS on lucid

Author: chris pollock
Revision Date: 2015-02-08 07:54:07 UTC

[ Marc Deslauriers ]
* Updated to 0.98.6 to fix security issues, including CVE-2014-9328.
  (LP: #1420819)
* Removed upstreamed patches:
  - d/p/0002-Add-an-additional-n-after-the-number-in-the-pidfile.patch
  - d/p/0017-Bump-.so-version-number.patch

[ Chris Pollock ]
* Drop dh_autoreconf from build-depends
* Remove use of dh_autoreconf from debian/rules
* Adjust list of no LLVM architectures in debian/rules to include powerpc
  to avoid FTBFS on lucid

Author: Martin Pitt
Revision Date: 2015-02-06 13:18:20 UTC

* Add 15-to_char_buffer_overflow.patch and 16-to_char_buffer_overflow_time.patch:
  Fix buffer overruns in to_char() [CVE-2015-0241]
* Add 17-pgcrypto_pullf_read_max_overflow.patch and 18-pgcrypto_imath_fixes.patch:
  Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
* Add 19-ensure_frontend_backend_sync.patch:
  Fix possible loss of frontend/backend protocol synchronization after an
  error [CVE-2015-0244]
* Add 20-column_privilege_leak.patch:
  Fix information leak via constraint-violation error messages
  [CVE-2014-8161]
* Note: CVE-2015-0242 does not affect Ubuntu packages as we use glibc's
  snprintf().

Author: Martin Pitt
Revision Date: 2015-02-06 13:18:20 UTC

* Add 15-to_char_buffer_overflow.patch and 16-to_char_buffer_overflow_time.patch:
  Fix buffer overruns in to_char() [CVE-2015-0241]
* Add 17-pgcrypto_pullf_read_max_overflow.patch and 18-pgcrypto_imath_fixes.patch:
  Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
* Add 19-ensure_frontend_backend_sync.patch:
  Fix possible loss of frontend/backend protocol synchronization after an
  error [CVE-2015-0244]
* Add 20-column_privilege_leak.patch:
  Fix information leak via constraint-violation error messages
  [CVE-2014-8161]
* Note: CVE-2015-0242 does not affect Ubuntu packages as we use glibc's
  snprintf().

Author: Marc Deslauriers
Revision Date: 2015-02-06 09:32:14 UTC

* SECURITY UPDATE: denial of service and possible info leakage via
  extension fields
  - debian/patches/CVE-2014-9297.patch: properly check lengths in
    ntpd/ntp_crypto.c, ntpd/ntp_proto.c.
  - CVE-2014-9297
* SECURITY UPDATE: IPv6 ACL bypass
  - debian/patches/CVE-2014-9298.patch: check for spoofed ::1 in
    ntpd/ntp_io.c.
  - CVE-2014-9298

Author: Marc Deslauriers
Revision Date: 2015-02-06 09:32:14 UTC

* SECURITY UPDATE: denial of service and possible info leakage via
  extension fields
  - debian/patches/CVE-2014-9297.patch: properly check lengths in
    ntpd/ntp_crypto.c, ntpd/ntp_proto.c.
  - CVE-2014-9297
* SECURITY UPDATE: IPv6 ACL bypass
  - debian/patches/CVE-2014-9298.patch: check for spoofed ::1 in
    ntpd/ntp_io.c.
  - CVE-2014-9298

Author: Marc Deslauriers
Revision Date: 2015-01-29 11:39:12 UTC

* SECURITY UPDATE: heap overflow via mismatched block sizes
  - extract.c: ensure compressed and uncompressed block sizes match when
    using STORED method.
  - CVE-2014-9636

Author: Marc Deslauriers
Revision Date: 2015-01-29 11:39:12 UTC

* SECURITY UPDATE: heap overflow via mismatched block sizes
  - extract.c: ensure compressed and uncompressed block sizes match when
    using STORED method.
  - CVE-2014-9636

Author: Robie Basak
Revision Date: 2015-01-28 02:29:24 UTC

d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
positives (LP: #1412830).

Author: Robie Basak
Revision Date: 2015-01-28 02:29:24 UTC

d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
positives (LP: #1412830).

Author: Marc Deslauriers
Revision Date: 2015-01-22 13:09:28 UTC

* SECURITY UPDATE: denial of service via crafted ICC color profile
  - debian/patches/CVE-2014-8137.dpatch: prevent double-free in
    jasper/src/libjasper/base/jas_icc.c, remove assert in
    jasper/src/libjasper/jp2/jp2_dec.c.
  - CVE-2014-8137
* SECURITY UPDATE: denial of service or code execution via invalid
  channel number
  - debian/patches/CVE-2014-8138.dpatch: validate channel number in
    jasper/src/libjasper/jp2/jp2_dec.c.
  - CVE-2014-8138
* SECURITY UPDATE: denial of service or code execution via off-by-one
  - debian/patches/CVE-2014-8157.dpatch: fix off-by-one in
    jasper/src/libjasper/jpc/jpc_dec.c.
  - CVE-2014-8157
* SECURITY UPDATE: denial of service or code execution via memory
  corruption
  - debian/patches/CVE-2014-8158.dpatch: remove HAVE_VLA to use more
    sensible buffer sizes in jasper/src/libjasper/jpc/jpc_qmfb.c.
  - CVE-2014-8158

Author: Marc Deslauriers
Revision Date: 2015-01-22 13:09:28 UTC

* SECURITY UPDATE: denial of service via crafted ICC color profile
  - debian/patches/CVE-2014-8137.dpatch: prevent double-free in
    jasper/src/libjasper/base/jas_icc.c, remove assert in
    jasper/src/libjasper/jp2/jp2_dec.c.
  - CVE-2014-8137
* SECURITY UPDATE: denial of service or code execution via invalid
  channel number
  - debian/patches/CVE-2014-8138.dpatch: validate channel number in
    jasper/src/libjasper/jp2/jp2_dec.c.
  - CVE-2014-8138
* SECURITY UPDATE: denial of service or code execution via off-by-one
  - debian/patches/CVE-2014-8157.dpatch: fix off-by-one in
    jasper/src/libjasper/jpc/jpc_dec.c.
  - CVE-2014-8157
* SECURITY UPDATE: denial of service or code execution via memory
  corruption
  - debian/patches/CVE-2014-8158.dpatch: remove HAVE_VLA to use more
    sensible buffer sizes in jasper/src/libjasper/jpc/jpc_qmfb.c.
  - CVE-2014-8158

Author: Chris Glass
Revision Date: 2014-12-15 00:59:26 UTC

 * New upstream version (LP: #1401523):
  - Fix regression occurring when performing Landscape-driven release
    upgrades (LP: #1389686)
  - Fix regression occurring when switching the client between different
    Landscape servers (LP: #1376134)
  - Support reporting QEMU virtualization (LP: #1374501)
  - Bump Juju integration message format (LP: #1369635, LP: #1362506)
  - Drop provisioning registration message (LP: #1344054)
  - Drop cloud registration message (LP: #1342646)
  - Fix handling broken packages (LP: #1326940)
  - Add new Swift usage message type (LP: #1320236)
  - Fix platform detection on POWER machines (LP: #1271615)
  - Fix platform detection for arm64 machines (LP: #1306824)
  - Added a mechanism to set the client's user-agent (LP: #1399139)
  - Fixed release-upgrader not asking for a seesion ID before attempting to
    send a message (LP: #1401867)
* Added dependency on python-configobj.
* Removed dependency on python-twisted-names

Author: Seth Arnold
Revision Date: 2015-01-13 19:31:18 UTC

* SECURITY UPDATE: infinite loop or crash in TZ environment variable
  handling.
  - debian/patches/CVE-2014-9471.dpatch: modify lib/getdate.y and
    tests/misc/date to avoid crashing with malformed TZ
  - CVE-2014-9471
* SECURITY UPDATE: local privilege escalation via /tmp file race in
  dist-check.mk
  - debian/patches/CVE-2009-4135.dpatch: modify dist-check.mk to no longer
    use system /tmp directory for predictable names
  - CVE-2009-4135

Author: Marc Deslauriers
Revision Date: 2015-01-14 16:46:45 UTC

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c.
  - CVE-2014-8150

Author: Marc Deslauriers
Revision Date: 2015-01-14 16:46:45 UTC

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c.
  - CVE-2014-8150

Author: Seth Arnold
Revision Date: 2015-01-13 19:31:18 UTC

* SECURITY UPDATE: infinite loop or crash in TZ environment variable
  handling.
  - debian/patches/CVE-2014-9471.dpatch: modify lib/getdate.y and
    tests/misc/date to avoid crashing with malformed TZ
  - CVE-2014-9471
* SECURITY UPDATE: local privilege escalation via /tmp file race in
  dist-check.mk
  - debian/patches/CVE-2009-4135.dpatch: modify dist-check.mk to no longer
    use system /tmp directory for predictable names
  - CVE-2009-4135

Author: Marc Deslauriers
Revision Date: 2015-01-05 11:42:56 UTC

* SECURITY UPDATE: shell command injection
  - Apply OpenBSD patches from Todd Miller (taken from Debian update):
    + glob.h, main.c, quit.c, mail.1: remove undocumented/obsolete -T
      option
    + main.c, mail.1: adjust -f processing
    + mail.1, names.c: fix CVE-2014-7844
    + main.c, mail.1: make -- work for option parsing suppression
  - CVE-2014-7844

Author: Marc Deslauriers
Revision Date: 2015-01-05 11:42:56 UTC

* SECURITY UPDATE: shell command injection
  - Apply OpenBSD patches from Todd Miller (taken from Debian update):
    + glob.h, main.c, quit.c, mail.1: remove undocumented/obsolete -T
      option
    + main.c, mail.1: adjust -f processing
    + mail.1, names.c: fix CVE-2014-7844
    + main.c, mail.1: make -- work for option parsing suppression
  - CVE-2014-7844

Author: Marc Deslauriers
Revision Date: 2015-01-06 14:17:22 UTC

* SECURITY UPDATE: shell command injection in run-mailcap
  - Thanks to Salvatore Bonaccorso and Charles Plessy for the patch.
  - CVE-2014-7209

Author: Marc Deslauriers
Revision Date: 2015-01-06 14:17:22 UTC

* SECURITY UPDATE: shell command injection in run-mailcap
  - Thanks to Salvatore Bonaccorso and Charles Plessy for the patch.
  - CVE-2014-7209

Author: Colin Watson
Revision Date: 2014-12-11 16:30:02 UTC

Always uppercase HTTP methods to match httplib2 expectations
(LP: #1401544).

Author: Chris Glass
Revision Date: 2014-12-15 00:59:26 UTC

 * New upstream version (LP: #1401523):
  - Fix regression occurring when performing Landscape-driven release
    upgrades (LP: #1389686)
  - Fix regression occurring when switching the client between different
    Landscape servers (LP: #1376134)
  - Support reporting QEMU virtualization (LP: #1374501)
  - Bump Juju integration message format (LP: #1369635, LP: #1362506)
  - Drop provisioning registration message (LP: #1344054)
  - Drop cloud registration message (LP: #1342646)
  - Fix handling broken packages (LP: #1326940)
  - Add new Swift usage message type (LP: #1320236)
  - Fix platform detection on POWER machines (LP: #1271615)
  - Fix platform detection for arm64 machines (LP: #1306824)
  - Added a mechanism to set the client's user-agent (LP: #1399139)
  - Fixed release-upgrader not asking for a seesion ID before attempting to
    send a message (LP: #1401867)
* Added dependency on python-configobj.
* Removed dependency on python-twisted-names

Author: Colin Watson
Revision Date: 2014-12-11 16:30:02 UTC

Always uppercase HTTP methods to match httplib2 expectations
(LP: #1401544).

Author: Steve Beattie
Revision Date: 2014-12-10 12:46:54 UTC

* SECURITY UPDATE: heap-based overflow in mutt_substrdup() when
  handling headers beginning with newline.
  - debian/patches/ubuntu/mutt-CVE-2014-9116.patch
  - CVE-2014-9116

Author: Steve Beattie
Revision Date: 2014-12-10 12:46:54 UTC

* SECURITY UPDATE: heap-based overflow in mutt_substrdup() when
  handling headers beginning with newline.
  - debian/patches/ubuntu/mutt-CVE-2014-9116.patch
  - CVE-2014-9116

Author: Marc Deslauriers
Revision Date: 2014-12-09 13:46:06 UTC

* SECURITY UPDATE: denial of service via delegation handling defect
  - limit max recursion in bin/named/config.c, bin/named/query.c,
    bin/named/server.c, lib/dns/adb.c, lib/dns/include/dns/adb.h,
    lib/dns/include/dns/resolver.h, lib/dns/resolver.c,
    lib/export/isc/Makefile.in, lib/isc/Makefile.in, lib/isc/counter.c,
    lib/isc/include/isc/counter.h, lib/isc/include/isc/Makefile.in,
    lib/isc/include/isc/types.h, lib/isc/tests/counter_test.c,
    lib/isccfg/namedconf.c.
  - Based on patch provided by upstream.
  - CVE-2014-8500

Author: Marc Deslauriers
Revision Date: 2014-12-09 13:46:06 UTC

* SECURITY UPDATE: denial of service via delegation handling defect
  - limit max recursion in bin/named/config.c, bin/named/query.c,
    bin/named/server.c, lib/dns/adb.c, lib/dns/include/dns/adb.h,
    lib/dns/include/dns/resolver.h, lib/dns/resolver.c,
    lib/export/isc/Makefile.in, lib/isc/Makefile.in, lib/isc/counter.c,
    lib/isc/include/isc/counter.h, lib/isc/include/isc/Makefile.in,
    lib/isc/include/isc/types.h, lib/isc/tests/counter_test.c,
    lib/isccfg/namedconf.c.
  - Based on patch provided by upstream.
  - CVE-2014-8500

Author: Seth Arnold
Revision Date: 2014-12-04 16:33:37 UTC

* SECURITY UPDATE: Format string vulnerability may allow attackers to
  cause a denial of service or possibly execute code.
  - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
    lib/cgraph/scan.l yyerror() routine.
  - CVE-2014-9157

Author: Seth Arnold
Revision Date: 2014-12-04 16:33:37 UTC

* SECURITY UPDATE: Format string vulnerability may allow attackers to
  cause a denial of service or possibly execute code.
  - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
    lib/cgraph/scan.l yyerror() routine.
  - CVE-2014-9157

Author: Marc Deslauriers
Revision Date: 2014-12-03 17:17:23 UTC

* SECURITY UPDATE: denial of service and possible code execution in
  olsr_print
  - debian/patches/CVE-2014-8767.patch: improve bounds checking and
    error handling in print-olsr.c.
  - CVE-2014-8767
* SECURITY UPDATE: denial of service and possible code execution in
  print-aodv.c
  - debian/patches/CVE-2014-8769.patch: improve bounds checking and
    length checking in print-aodv.c, aodv.h.
  - CVE-2014-8769
* SECURITY UPDATE: denial of service and possible code execution in
  print-ppp.c
  - debian/patches/CVE-2014-9140.patch: improve bounds checking in
    print-ppp.c.
  - CVE-2014-9140

Author: Marc Deslauriers
Revision Date: 2014-12-03 17:17:23 UTC

* SECURITY UPDATE: denial of service and possible code execution in
  olsr_print
  - debian/patches/CVE-2014-8767.patch: improve bounds checking and
    error handling in print-olsr.c.
  - CVE-2014-8767
* SECURITY UPDATE: denial of service and possible code execution in
  print-aodv.c
  - debian/patches/CVE-2014-8769.patch: improve bounds checking and
    length checking in print-aodv.c, aodv.h.
  - CVE-2014-8769
* SECURITY UPDATE: denial of service and possible code execution in
  print-ppp.c
  - debian/patches/CVE-2014-9140.patch: improve bounds checking in
    print-ppp.c.
  - CVE-2014-9140

Author: Marc Deslauriers
Revision Date: 2014-11-26 07:50:57 UTC

* SECURITY UPDATE: possible privilege escalation via option parsing
  - debian/patches/CVE-2014-3158.patch: fix integer overflow in
    pppd/options.c.
  - CVE-2014-3158

Author: Marc Deslauriers
Revision Date: 2014-11-26 07:50:57 UTC

* SECURITY UPDATE: possible privilege escalation via option parsing
  - debian/patches/CVE-2014-3158.patch: fix integer overflow in
    pppd/options.c.
  - CVE-2014-3158

Author: Marc Deslauriers
Revision Date: 2014-11-27 12:28:27 UTC

* SECURITY UPDATE: arbitrary code execution via crafted .flac file
  - debian/patches/CVE-2014-8962.dpatch: validate id in
    src/libFLAC/stream_decoder.c.
  - CVE-2014-8962
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
  - debian/patches/CVE-2014-9028.dpatch: error out to avoid heap overflow
    in src/libFLAC/stream_decoder.c.
  - CVE-2014-9028

Author: Marc Deslauriers
Revision Date: 2014-11-27 12:28:27 UTC

* SECURITY UPDATE: arbitrary code execution via crafted .flac file
  - debian/patches/CVE-2014-8962.dpatch: validate id in
    src/libFLAC/stream_decoder.c.
  - CVE-2014-8962
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
  - debian/patches/CVE-2014-9028.dpatch: error out to avoid heap overflow
    in src/libFLAC/stream_decoder.c.
  - CVE-2014-9028

Author: Martin Pitt
Revision Date: 2012-04-16 10:02:07 UTC

add tracking bug

Author: Jonathan Riddell
Revision Date: 2014-11-04 17:40:19 UTC

* SECURITY UPDATE: out-of-bounds read on a heap-allocated array LP: #1389296
  - Add kubuntu_02_cve-2014-8483.diff to verify read bounds
  - CVE-2014-8483
  - https://www.kde.org/info/security/advisory-20140923-1.txt

Author: Jonathan Riddell
Revision Date: 2014-11-04 17:40:19 UTC

* SECURITY UPDATE: out-of-bounds read on a heap-allocated array LP: #1389296
  - Add kubuntu_02_cve-2014-8483.diff to verify read bounds
  - CVE-2014-8483
  - https://www.kde.org/info/security/advisory-20140923-1.txt

Author: Michael Vogt
Revision Date: 2014-10-17 10:09:56 UTC

[ David Kalnischkies ]
* methods/http.cc:
  - retry without partial data after a 416 response (closes: 710924)
    LP: #1382401

Author: Marc Deslauriers
Revision Date: 2014-10-30 10:10:03 UTC

* SECURITY UPDATE: remote code execution via absolute path traversal
  vulnerability in FTP
  - debian/patches/CVE-2014-4877.dpatch: don't create local symlinks in
    src/init.c, check for duplicate file nodes in src/ftp.c, updated
    documentation in doc/wget.texi.
  - CVE-2014-4877

Author: Marc Deslauriers
Revision Date: 2014-10-30 10:10:03 UTC

* SECURITY UPDATE: remote code execution via absolute path traversal
  vulnerability in FTP
  - debian/patches/CVE-2014-4877.dpatch: don't create local symlinks in
    src/init.c, check for duplicate file nodes in src/ftp.c, updated
    documentation in doc/wget.texi.
  - CVE-2014-4877

Author: Marc Deslauriers
Revision Date: 2014-10-22 14:27:25 UTC

* SECURITY UPDATE: denial of service via entity expansion
  - parser.c, SAX2.c, include/libxml/entities.h: refactor entity checking
    and add additional tests.
  - https://git.gnome.org/browse/libxml2/commit/?id=a3f1e3e5712257fd279917a9158278534e8f4b72
  - https://git.gnome.org/browse/libxml2/commit/?id=cff2546f13503ac028e4c1f63c7b6d85f2f2d777
  - https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230
  - CVE-2014-3660

Author: Marc Deslauriers
Revision Date: 2014-10-22 14:27:25 UTC

* SECURITY UPDATE: denial of service via entity expansion
  - parser.c, SAX2.c, include/libxml/entities.h: refactor entity checking
    and add additional tests.
  - https://git.gnome.org/browse/libxml2/commit/?id=a3f1e3e5712257fd279917a9158278534e8f4b72
  - https://git.gnome.org/browse/libxml2/commit/?id=cff2546f13503ac028e4c1f63c7b6d85f2f2d777
  - https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230
  - CVE-2014-3660

Author: Marc Deslauriers
Revision Date: 2014-10-10 09:27:24 UTC

* SECURITY UPDATE: arbitrary command execution via unsanitized string
  passed to action scripts by wpa_cli
  - debian/patches/CVE-2014-3686.patch: added os_exec() helper to
    src/utils/os.h, src/utils/os_unix.c, src/utils/os_win32.c,
    use instead of system() in wpa_supplicant/wpa_cli.c.
  - CVE-2014-3686

Author: Marc Deslauriers
Revision Date: 2014-10-10 09:27:24 UTC

* SECURITY UPDATE: arbitrary command execution via unsanitized string
  passed to action scripts by wpa_cli
  - debian/patches/CVE-2014-3686.patch: added os_exec() helper to
    src/utils/os.h, src/utils/os_unix.c, src/utils/os_win32.c,
    use instead of system() in wpa_supplicant/wpa_cli.c.
  - CVE-2014-3686

Author: Marc Deslauriers
Revision Date: 2014-10-02 11:36:23 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  invalid PRI value
  - debian/patches/CVE-2014-3634.patch: limit PRI values in
    runtime/rsyslog.h.
  - CVE-2014-3634
  - CVE-2014-3683

Author: Marc Deslauriers
Revision Date: 2014-10-07 14:26:26 UTC

* SECURITY UPDATE: incorrect function definition parsing with
  here-document delimited by end-of-file
  - debian/patches/CVE-2014-6277.dpatch: properly handle closing
    delimiter in copy_cmd.c, make_cmd.c.
  - CVE-2014-6277
* SECURITY UPDATE: incorrect function definition parsing via nested
  command substitutions
  - debian/patches/CVE-2014-6278.dpatch: properly handle certain parsing
    attempts in builtins/evalstring.c, parse.y, shell.h.
  - CVE-2014-6278
* debian/rules: added new patches to list.
* Updated patches with official upstream versions:
  - debian/patches/CVE-2014-6271.dpatch
  - debian/patches/CVE-2014-7169.dpatch
  - debian/patches/variables-affix.dpatch
  - debian/patches/CVE-2014-718x.dpatch

Author: Marc Deslauriers
Revision Date: 2014-10-07 14:26:26 UTC

* SECURITY UPDATE: incorrect function definition parsing with
  here-document delimited by end-of-file
  - debian/patches/CVE-2014-6277.dpatch: properly handle closing
    delimiter in copy_cmd.c, make_cmd.c.
  - CVE-2014-6277
* SECURITY UPDATE: incorrect function definition parsing via nested
  command substitutions
  - debian/patches/CVE-2014-6278.dpatch: properly handle certain parsing
    attempts in builtins/evalstring.c, parse.y, shell.h.
  - CVE-2014-6278
* debian/rules: added new patches to list.
* Updated patches with official upstream versions:
  - debian/patches/CVE-2014-6271.dpatch
  - debian/patches/CVE-2014-7169.dpatch
  - debian/patches/variables-affix.dpatch
  - debian/patches/CVE-2014-718x.dpatch

Author: Marc Deslauriers
Revision Date: 2014-10-02 11:36:23 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  invalid PRI value
  - debian/patches/CVE-2014-3634.patch: limit PRI values in
    runtime/rsyslog.h.
  - CVE-2014-3634
  - CVE-2014-3683

Author: Colin Watson
Revision Date: 2014-09-23 11:56:37 UTC

Cache the value of man-db/auto-update in the file system, so that we
don't have to talk to debconf when processing triggers (LP: #1372673).

Author: Michael Vogt
Revision Date: 2014-09-23 08:58:49 UTC

* SECURITY UPDATE:
  - fix potential buffer overflow, thanks to the
    Google Security Team (CVE-2014-6273)
* Fix regression from the previous upload when file:/// sources
  are used and those are on a different partition than
  the apt state directory (LP: #1371058)
* Fix regression when Dir::state::lists is set to a relative path
* Fix regression when cdrom: sources got rewriten by apt-cdrom add

Author: Colin Watson
Revision Date: 2014-09-23 11:56:37 UTC

Cache the value of man-db/auto-update in the file system, so that we
don't have to talk to debconf when processing triggers (LP: #1372673).

Author: Michael Vogt
Revision Date: 2014-09-23 08:58:49 UTC

* SECURITY UPDATE:
  - fix potential buffer overflow, thanks to the
    Google Security Team (CVE-2014-6273)
* Fix regression from the previous upload when file:/// sources
  are used and those are on a different partition than
  the apt state directory (LP: #1371058)
* Fix regression when Dir::state::lists is set to a relative path
* Fix regression when cdrom: sources got rewriten by apt-cdrom add

Author: Marc Deslauriers
Revision Date: 2014-09-19 08:25:13 UTC

* Update to 4.10.7 to support nss security update.
* Removed unneeded patches:
  - debian/patches/30_config_64bits.patch: no longer needed
  - debian/patches/99_configure.patch: no longer needed
  - debian/patches/CVE-2013-5607.patch: included upstream.
  - debian/patches/CVE-2014-1545.patch: included upstream.
* debian/libnspr4-0d.symbols: updated for new version.
* debian/rules: adjust paths, add --enable-64bit when appropriate.

Author: Marc Deslauriers
Revision Date: 2014-09-19 08:25:13 UTC

* Update to 4.10.7 to support nss security update.
* Removed unneeded patches:
  - debian/patches/30_config_64bits.patch: no longer needed
  - debian/patches/99_configure.patch: no longer needed
  - debian/patches/CVE-2013-5607.patch: included upstream.
  - debian/patches/CVE-2014-1545.patch: included upstream.
* debian/libnspr4-0d.symbols: updated for new version.
* debian/rules: adjust paths, add --enable-64bit when appropriate.

Author: Marc Deslauriers
Revision Date: 2014-09-10 13:07:32 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Author: Marc Deslauriers
Revision Date: 2014-09-10 13:07:32 UTC

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Author: Marc Deslauriers
Revision Date: 2014-09-09 07:54:31 UTC

* SECURITY UPDATE: possible arbitrary code execution via race condition
  - debian/patches/CVE-2014-1544.patch: prevent
    nssTrustDomain_AddCertsToCache from freeing the CERTCertificate
    associated with the NSSCertificate in nss/lib/pk11wrap/pk11cert.c.
  - CVE-2014-1544

Author: Marc Deslauriers
Revision Date: 2014-09-04 09:43:29 UTC

* SECURITY UPDATE: heap overflow in formail via malformed from header
  - src/formisc.c: handle unbalanced quotes
  - Patch by Tavis Ormandy
  - CVE-2014-3618

Author: Marc Deslauriers
Revision Date: 2014-09-04 09:43:29 UTC

* SECURITY UPDATE: heap overflow in formail via malformed from header
  - src/formisc.c: handle unbalanced quotes
  - Patch by Tavis Ormandy
  - CVE-2014-3618