Branches for Maverick

Author: Scott Moser
Revision Date: 2012-03-16 14:36:07 UTC

* add ability to configure Acquire::http::Pipeline-Depth via
  cloud-config setting 'apt_pipelining' (LP: #948461)
* debian/cloud-init.postinst: address population of apt_pipeline
  setting on installation.

Author: Scott Moser
Revision Date: 2010-09-16 04:28:55 UTC

do not use ec2 ubuntu archive if instance is VPC (LP: #615545)

Author: Matthias Klose
Revision Date: 2011-03-27 17:57:07 UTC

* Re-enable the upstream change:
  2010-06-02 Kirill A. Shutemov <kirill@shutemov.name>
      * elf/dl-reloc.c: Flush cache after solving TEXTRELs if arch
      requires it.
  Working OpenJDK ARM assembler interpreter. LP: #605042.

Author: Steve Beattie
Revision Date: 2012-03-06 12:12:55 UTC

* SECURITY UPDATE: timezone header parsing integer overflow (LP: #906961)
  - debian/patches/any/glibc-CVE-2009-5029.patch: Check values from
    TZ file header
  - CVE-2009-5029
* SECURITY UPDATE: memory consumption denial of service in fnmatch
  - debian/patches/any/glibc-CVE-2011-1071.patch: avoid too much
    stack use in fnmatch.
  - CVE-2011-1071
* SECURITY UPDATE: /etc/mtab corruption denial of service
  - debian/patches/any/glibc-CVE-2011-1089.patch: Report write
    error in addmnt even for cached streams
  - CVE-2011-1089
* SECURITY UPDATE: insufficient locale environment sanitization
  - debian/patches/any/glibc-CVE-2011-1095.patch: escape contents of
    LANG environment variable.
  - CVE-2011-1095
* SECURITY UPDATE: ld.so insecure handling of privileged programs'
  RPATHs with $ORIGIN
  - debian/patches/any/glibc-CVE-2011-1658.patch: improve handling of
    RPATH and ORIGIN
  - CVE-2011-1658
* SECURITY UPDATE: fnmatch integer overflow
  - debian/patches/any/glibc-CVE-2011-1659.patch: check size of
    pattern in wide character representation
  - CVE-2011-1659
* SECURITY UPDATE: DoS in RPC implementation (LP: #901716)
  - debian/patches/any/glibc-CVE-2011-4609.patch: nanosleep when too
    many open fds is detected
  - CVE-2011-4609
* SECURITY UPDATE: vfprintf nargs overflow leading to FORTIFY
  check bypass
  - debian/patches/any/glibc-CVE-2012-0864.patch: check for integer
    overflow
  - CVE-2012-0864

Author: Steve Beattie
Revision Date: 2011-10-25 15:58:45 UTC

* SECURITY UPDATE: remote HTML injection (LP: #879301)
  - debian/patches/75_empathy-CVE-2011-3635-lp879301.patch: escape
    HTML in when displaying other users' names. (Thanks to upstream
    for patch.)
  - CVE-2011-3635, CVE-2011-4170

Author: Didier Roche-Tolomelli
Revision Date: 2010-10-01 16:06:56 UTC

* debian/patches/91_git_fix_gtalk_for_new_accounts.patch:
  - from upstream: fix empathy to be compatible with gtalk new accounts

Author: Scott Kitterman
Revision Date: 2011-02-18 12:45:11 UTC

* New upstream release per KDE microversion update exception (LP: #721269)
  - Fix so versions for building with KDE 4.5
  - Bump down kde-sc-dev-latest and kdelibs5-dev to 4.5.1 to build for maverick

Author: Max Bowsher
Revision Date: 2012-07-25 08:31:48 UTC

Fix mangled duplication in debian/patches/03_spurious_test_failure

Author: Jo Shields
Revision Date: 2010-10-04 20:58:14 UTC

* ARM development made possible by Genesi USA
* add_arm_to_firefox-xpi.m4.patch:
  + For reasons best known to themselves, Mozilla don't define a
    plugin ABI for several platforms, including ARM. This patch
    tweaks the build system not to fail on ARM, by setting the
    bogus Linux_unknownABI ABI on ARM, rather than bailing out.
    (LP: #635406)
* realign_nocodec_API_with_codec_API.patch:
  + Import upstream git commit 66993b158727585e889d, which fixes
    the build on architectures without official binary codecs
    available (such as ARM and PowerPC).

Author: Max Bowsher
Revision Date: 2012-07-24 03:40:50 UTC

Move upstream source modifications to quilt patch.

Author: Max Bowsher
Revision Date: 2012-07-21 01:21:19 UTC

Increment version.

Author: Max Bowsher
Revision Date: 2012-07-21 00:58:12 UTC

Build distro-info with python-support.

Author: Max Bowsher
Revision Date: 2012-07-20 20:52:39 UTC

Actually add debian/patches/07_revert_no_tty

Author: Max Bowsher
Revision Date: 2012-06-27 23:17:57 UTC

maverick

Author: Marc Deslauriers
Revision Date: 2012-01-25 14:09:00 UTC

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

Author: Marc Deslauriers
Revision Date: 2012-01-25 14:09:00 UTC

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

Author: Chris Coulson
Revision Date: 2012-01-10 10:34:53 UTC

* Install a copy of the xpi to be picked up by the Ubufox addon
  installer, to transition adblock to a local user extension. Build-depend
  on a new enough mozilla-devscripts and also depend on ubufox (LP: #904594)
  - update debian/rules
  - update debian/control

Author: Chris Coulson
Revision Date: 2012-01-10 10:34:53 UTC

* Install a copy of the xpi to be picked up by the Ubufox addon
  installer, to transition adblock to a local user extension. Build-depend
  on a new enough mozilla-devscripts and also depend on ubufox (LP: #904594)
  - update debian/rules
  - update debian/control

Author: Chris Coulson
Revision Date: 2012-01-10 10:34:53 UTC

* Install a copy of the xpi to be picked up by the Ubufox addon
  installer, to transition adblock to a local user extension. Build-depend
  on a new enough mozilla-devscripts and also depend on ubufox (LP: #904594)
  - update debian/rules
  - update debian/control

Author: Marc Deslauriers
Revision Date: 2012-02-15 22:45:27 UTC

* REGRESSION FIX:
  - DistUpgrade/DistUpgradeViewKDE.py: fix regression caused by improper
    return value handling. (LP: #933225)

Author: Colin Watson
Revision Date: 2011-09-28 00:58:01 UTC

Work around LP #684875: detect /dev/sd* devices with major number 202,
which are really /dev/xvddevices in disguise, and don't use UUIDs for
expressing them as GRUB drives either (LP: #720558).

Author: Colin Watson
Revision Date: 2011-09-28 00:58:01 UTC

Work around LP #684875: detect /dev/sd* devices with major number 202,
which are really /dev/xvddevices in disguise, and don't use UUIDs for
expressing them as GRUB drives either (LP: #720558).

Author: Nobuhiro Iwamatsu
Revision Date: 2010-08-06 01:32:39 UTC

[ Nobuhiro Iwamatsu ]
* Fix typo in cairo-dock-illusion-plugin (Closes: #588463, #588449).
[ Youhei SASAKI ]
* Bump Standard Version: 3.9.1
* Separate patches:
  - fix-plugin-version: change Scooby-Do and Network-monitor reqired version
  - fix-lintian-interreter_error: fix dustbin.conf VERSION_DUSTBIN
  - modified_clean_target: exclude clean_target for data/*.conf

Author: Didier Roche-Tolomelli
Revision Date: 2010-10-06 19:06:18 UTC

releasing version 2.2.0~4-0ubuntu1

Author: Martin Pitt
Revision Date: 2012-03-09 08:47:09 UTC

* New upstream release 2012b:
  - Update DST rules for Chile (LP: #948328), Armenia, Samoa, Cuba,
    Falkland.
  - Fix historic DST rules for Canada.
  - Add leap seconds for June 2012.

Author: Serge Hallyn
Revision Date: 2011-11-15 08:06:57 UTC

New version of debian/patches/lxc-use-own-ptyfns.patch. Previous version
failed to build.

Author: Serge Hallyn
Revision Date: 2011-11-15 08:06:57 UTC

New version of debian/patches/lxc-use-own-ptyfns.patch. Previous version
failed to build.

Author: Surbhi Palande
Revision Date: 2010-09-13 18:59:03 UTC

* debian/initramfs/hook: Added following code (invoked on update-initramfs)
  (LP: #617725):
  - create a mdadm.conf if it is not found in /etc and copy it in initramfs
  - update an existing mdadm.conf in the initramfs if it does'nt include
    a definition of any array
  - warn the user if the definition of an active array is not found in the
    initramfs/etc/mdadm.conf

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Cross-site scripting via HTTP error responses
  - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character
    set for HTTP error responses. Based on upstream patch.
  - CVE-2010-0541
* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Cross-site scripting via HTTP error responses
  - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character
    set for HTTP error responses. Based on upstream patch.
  - CVE-2010-0541
* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Robert Ancell
Revision Date: 2010-08-27 12:11:20 UTC

[ Sam L. ]
Changed the description in debian/control to be less confusing.
(LP: #599785)

Author: Marc Deslauriers
Revision Date: 2011-09-21 10:04:38 UTC

* SECURITY UPDATE: possible arbitrary code execution via malformed GIF
  - debian/patches/09_CVE-2011-2896.patch: properly calculate lengths in
    plug-ins/common/file-gif-load.c.
  - CVE-2011-2896

Author: Bilal Akhtar
Revision Date: 2010-11-10 23:39:24 UTC

* debian/patches/01_add_missing_calls_to_cairo_surface_mark_dirty.patch:
  - Add missing calls to function cairo_surface_mark_dirty to fix the
    problem of prints and print previews coming up as blank pages.
    (LP: #636329)

Author: Marc Deslauriers
Revision Date: 2011-09-21 10:04:38 UTC

* SECURITY UPDATE: possible arbitrary code execution via malformed GIF
  - debian/patches/09_CVE-2011-2896.patch: properly calculate lengths in
    plug-ins/common/file-gif-load.c.
  - CVE-2011-2896

Author: Marc Deslauriers
Revision Date: 2012-01-25 15:11:21 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  out of bounds access
  - debian/patches/CVE-2011-4599.patch: add bounds checks in
    source/common/uloc.c.
  - CVE-2011-4599

Author: Marc Deslauriers
Revision Date: 2012-01-25 15:11:21 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  out of bounds access
  - debian/patches/CVE-2011-4599.patch: add bounds checks in
    source/common/uloc.c.
  - CVE-2011-4599

Author: Jay Berkenbilt
Revision Date: 2009-09-04 11:56:06 UTC

Change install-doc target to not fail if there are subdirectories of
doc/html. This is necessary to handle the doc/html/search directory
created by doxygen 3.6.1. (Closes: #544799)

Author: Michael Bienia
Revision Date: 2010-07-19 22:42:16 UTC

Drop libtokyocabinet-dev (universe) from Build-Depends, use always
libgdbm-dev and also use gdbm for the header cache backend. (lp: #607448)

Author: Tyler Hicks
Revision Date: 2011-09-22 00:34:19 UTC

* SECURITY UPDATE: Failure to verify that a server's hostname matches the
  Common Name listed in a certificate when setting up a TLS connection.
  - debian/patches/ubuntu/CVE-2011-1429.patch: Verify the peer's certificate.
  - CVE-2011-1429

Author: Tyler Hicks
Revision Date: 2011-09-22 00:34:19 UTC

* SECURITY UPDATE: Failure to verify that a server's hostname matches the
  Common Name listed in a certificate when setting up a TLS connection.
  - debian/patches/ubuntu/CVE-2011-1429.patch: Verify the peer's certificate.
  - CVE-2011-1429

Author: Paolo Pisati
Revision Date: 2012-03-30 18:17:15 UTC

* Release Tracking Bug
  - LP: #967066

[ Paolo Pisati ]

* Rebased to 2.6.32-41.88

[ Ubuntu: 2.6.32-41.88 ]

* Release Tracking Bug
  - LP: #966443
* [Config] restore build-% shortcut
* SAUCE: ubuntu drivers: use UMH_WAIT_PROC consistently
  - LP: #963685
* Revert "Revert "USB: xhci - fix unsafe macro definitions""
  - LP: #948139
* Revert "Revert "USB: xhci - fix math in xhci_get_endpoint_interval()""
  - LP: #948139
* Revert "Revert "xhci: Fix full speed bInterval encoding.""
  - LP: #948139
* bsg: fix sysfs link remove warning
  - LP: #946928
* hwmon: (f75375s) Fix bit shifting in f75375_write16
  - LP: #948139
* lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel
  - LP: #948139
* relay: prevent integer overflow in relay_open()
  - LP: #948139
* mac80211: timeout a single frame in the rx reorder buffer
  - LP: #948139
* kernel.h: fix wrong usage of __ratelimit()
  - LP: #948139
* printk_ratelimited(): fix uninitialized spinlock
  - LP: #948139
* hwmon: (f75375s) Fix automatic pwm mode setting for F75373 & F75375
  - LP: #948139
* crypto: sha512 - Use binary and instead of modulus
  - LP: #948139
* crypto: sha512 - Avoid stack bloat on i386
  - LP: #948139
* crypto: sha512 - use standard ror64()
  - LP: #948139
* SCSI: 3w-9xxx fix bug in sgl loading
  - LP: #948139
* ARM: 7321/1: cache-v7: Disable preemption when reading CCSIDR
  - LP: #948139
* ARM: 7325/1: fix v7 boot with lockdep enabled
  - LP: #948139
* USB: Added Kamstrup VID/PIDs to cp210x serial driver.
  - LP: #948139
* USB: Fix handoff when BIOS disables host PCI device.
  - LP: #948139
* xhci: Fix encoding for HS bulk/control NAK rate.
  - LP: #948139
* hdpvr: fix race conditon during start of streaming
  - LP: #948139
* cdrom: use copy_to_user() without the underscores
  - LP: #948139
* autofs: work around unhappy compat problem on x86-64
  - LP: #948139
* Fix autofs compile without CONFIG_COMPAT
  - LP: #948139
* compat: fix compile breakage on s390
  - LP: #948139
* PM: Print a warning if firmware is requested when tasks are frozen
  - LP: #948139
* firmware loader: allow builtin firmware load even if usermodehelper is
  disabled
  - LP: #948139
* PM / Sleep: Fix freezer failures due to racy
  usermodehelper_is_disabled()
  - LP: #948139
* PM / Sleep: Fix read_unlock_usermodehelper() call.
  - LP: #948139
* Linux 2.6.32.58
  - LP: #948139
* regset: Prevent null pointer reference on readonly regsets
  - LP: #949905
  - CVE-2012-1097
* regset: Return -EFAULT, not -EIO, on host-side memory fault
  - LP: #949905
  - CVE-2012-1097
* KVM: Remove ability to assign a device without iommu support
  - LP: #897812
  - CVE-2011-4347
* eCryptfs: Copy up lower inode attrs after setting lower xattr
* eCryptfs: Improve statfs reporting
  - LP: #885744
* drm/i915: no lvds quirk for AOpen MP45
  - LP: #955078
* drm/radeon/kms: fix MSI re-arm on rv370+
  - LP: #955078
* Linux 2.6.32.58+drm33.24
  - LP: #955078
* KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"
  - LP: #917842
  - CVE-2012-0045
* KVM: x86: fix missing checks in syscall emulation
  - LP: #917842
  - CVE-2012-0045
* eCryptfs: Clear ECRYPTFS_NEW_FILE flag during truncate
  - LP: #745836
* compat: Re-add missing asm/compat.h include to fix compile breakage on
  s390
  - LP: #959252
* IA64: Remove COMPAT_IA32 support
  - LP: #959252
* writeback: fixups for !dirty_writeback_centisecs
  - LP: #959252
* KEYS: Enable the compat keyctl wrapper on s390x
  - LP: #959252
* cifs: fix dentry refcount leak when opening a FIFO on lookup
  - LP: #959252
* net/usbnet: avoid recursive locking in usbnet_stop()
  - LP: #959252
* watchdog: hpwdt: clean up set_memory_x call for 32 bit
  - LP: #959252
* blkfront: Fix backtrace in del_gendisk
  - LP: #959252
* Linux 2.6.32.59
  - LP: #959252
* USB: EHCI: go back to using the system clock for QH unlinks
  - LP: #624510
* kmod: fix resource leak in call_usermodehelper_pipe()
  - LP: #963685
* kmod: add init function to usermodehelper
  - LP: #963685
* usermodehelper: use UMH_WAIT_PROC consistently
  - LP: #963685
* usermodehelper: introduce umh_complete(sub_info)
  - LP: #963685
* usermodehelper: implement UMH_KILLABLE
  - LP: #963685
* usermodehelper: kill umh_wait, renumber UMH_* constants
  - LP: #963685
* usermodehelper: ____call_usermodehelper() doesn't need do_exit()
  - LP: #963685
* kmod: introduce call_modprobe() helper
  - LP: #963685
* kmod: make __request_module() killable
  - LP: #963685

Author: Paolo Pisati
Revision Date: 2012-03-07 15:23:30 UTC

* Release Tracking Bug
  - LP: #947896

[ Paolo Pisati ]

* Rebased to 2.6.32-40.87

[ Ubuntu: 2.6.32-40.87 ]

* Release Tracking Bug
  - LP: #947375
* IB/mlx4: pass SMP vendor-specific attribute MADs to firmware
  - LP: #932043
* mm/filemap_xip.c: fix race condition in xip_file_fault()
  - LP: #932043
* NFSv4: Fix up the callers of nfs4_state_end_reclaim_reboot
  - LP: #932043
* NFSv4: The state manager shouldn't exit on errors that were handled
  - LP: #932043
* NFSv4: Ensure the state manager handles NFS4ERR_NO_GRACE correctly
  - LP: #932043
* NFSv4: Handle NFS4ERR_GRACE when recovering an expired lease.
  - LP: #932043
* NFSv4: Fix open recovery
  - LP: #932043
* rpc client can not deal with ENOSOCK, so translate it into ENOCONN
  - LP: #932043
* udf: Mark LVID buffer as uptodate before marking it dirty
  - LP: #932043
* eCryptfs: Infinite loop due to overflow in ecryptfs_write()
  - LP: #932043
* atmel_lcdfb: fix usage of CONTRAST_CTR in suspend/resume
  - LP: #932043
* Staging: asus_oled: fix image processing
  - LP: #932043
* Staging: android: binder: Don't call dump_stack in binder_vma_open
  - LP: #932043
* Staging: android: binder: Fix crashes when sharing a binder file
  between processes
  - LP: #932043
* usb: gadget: zero: fix bug in loopback autoresume handling
  - LP: #932043
* usb: Skip PCI USB quirk handling for Netlogic XLP
  - LP: #932043
* USB: usbserial: add new PID number (0xa951) to the ftdi driver
  - LP: #932043
* mmc: cb710 core: Add missing spin_lock_init for irq_lock of struct
  cb710_chip
  - LP: #932043
* net: fix sk_forward_alloc corruptions
  - LP: #932043
* net: sock_queue_err_skb() dont mess with sk_forward_alloc
  - LP: #932043
* Linux 2.6.32.57
  - LP: #932043
* Ban ecryptfs over ecryptfs
  - LP: #932987
* eCryptfs: Remove mmap from directory operations
  - LP: #400443
* eCryptfs: Use notify_change for truncating lower inodes
  - LP: #451368
* ecryptfs: read on a directory should return EISDIR if not supported
  - LP: #719691
* eCryptfs: Remove extra d_delete in ecryptfs_rmdir
  - LP: #723518
* eCryptfs: Clear i_nlink in rmdir
  - LP: #723518
* KVM: Device assignment permission checks
  - LP: #897812
  - CVE-2011-4347
* block: Fix io_context leak after clone with CLONE_IO
  - LP: #940743
  - CVE-2012-0879
* block: Fix io_context leak after failure of clone with CLONE_IO
  - LP: #940743
  - CVE-2012-0879
* eCryptfs: Handle failed metadata read in lookup
  - LP: #509180
* drm/i915: Fix TV Out refresh rate.
  - LP: #945114
* Linux 2.6.32.57+drm33.23
  - LP: #945114

Author: Tyler Hicks
Revision Date: 2012-04-04 11:13:02 UTC

* SECURITY UPDATE: Denial of service in client application
  - debian/patches/CVE-2011-4128.patch: Fix buffer bounds check when copying
    session data. Based on upstream patch.
  - CVE-2011-4128
* SECURITY UPDATE: Denial of service via crafted TLS record
  - debian/patches/CVE-2012-1573.patch: Validate the size of a
    GenericBlockCipher structure as it is processed. Based on upstream
    patch.
  - CVE-2012-1573

Author: Aditya V
Revision Date: 2012-04-09 23:01:21 UTC

Change 'precise' to 'maverick' in changelog

Author: Paolo Pisati
Revision Date: 2012-03-30 16:52:51 UTC

* Release Tracking Bug
  - LP: #967065

[ Upstream Kernel Changes ]

* regset: Prevent null pointer reference on readonly regsets
  - LP: #949905
  - CVE-2012-1097
* regset: Return -EFAULT, not -EIO, on host-side memory fault
  - LP: #949905
  - CVE-2012-1097
* mm: memcg: Correct unregistring of events attached to the same eventfd
  - LP: #952828
  - CVE-2012-1146

Author: Tyler Hicks
Revision Date: 2012-04-04 11:13:02 UTC

* SECURITY UPDATE: Denial of service in client application
  - debian/patches/CVE-2011-4128.patch: Fix buffer bounds check when copying
    session data. Based on upstream patch.
  - CVE-2011-4128
* SECURITY UPDATE: Denial of service via crafted TLS record
  - debian/patches/CVE-2012-1573.patch: Validate the size of a
    GenericBlockCipher structure as it is processed. Based on upstream
    patch.
  - CVE-2012-1573

Author: Marc Deslauriers
Revision Date: 2012-04-05 08:41:07 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  memory corruption issue.
  - debian/patches/CVE-2011-3048.patch: correctly restore to previous
    condition in pngset.c.
  - CVE-2011-3048

Author: Marc Deslauriers
Revision Date: 2012-04-05 08:41:07 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  memory corruption issue.
  - debian/patches/CVE-2011-3048.patch: correctly restore to previous
    condition in pngset.c.
  - CVE-2011-3048

Author: Marc Deslauriers
Revision Date: 2012-04-02 11:01:42 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  tiffdump
  - debian/patches/CVE-2010-4665.patch: prevent integer overflow in
    tools/tiffdump.c.
  - CVE-2010-4665
* SECURITY UPDATE: arbitrary code execution via size overflow
  - debian/patches/CVE-2012-1173.patch: use TIFFSafeMultiply in
    libtiff/tif_getimage.c, fix TIFFSafeMultiply in libtiff/tiffiop.h.
  - CVE-2012-1173

Author: Marc Deslauriers
Revision Date: 2012-04-02 11:01:42 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  tiffdump
  - debian/patches/CVE-2010-4665.patch: prevent integer overflow in
    tools/tiffdump.c.
  - CVE-2010-4665
* SECURITY UPDATE: arbitrary code execution via size overflow
  - debian/patches/CVE-2012-1173.patch: use TIFFSafeMultiply in
    libtiff/tif_getimage.c, fix TIFFSafeMultiply in libtiff/tiffiop.h.
  - CVE-2012-1173

Author: Herton R. Krzesinski
Revision Date: 2012-03-30 15:46:52 UTC

linux-mvl-dove 2.6.32-425.44

Author: Evan Broder
Revision Date: 2012-03-28 03:44:44 UTC

Automated backport upload; no source changes.

Author: Marc Deslauriers
Revision Date: 2012-03-23 09:51:16 UTC

* debian/postinst: forcibly remove diginotar cert. It could be left
  behind under certain circumstances. (LP: #920758)
* debian/jks-keystore.hook: properly strip .pem extension from aliases.
  Also, look up and remove old incorrect aliases if necessary.
* debian/control: bump ca-certificates Build-Depends to latest security
  update to make sure we don't bundle old certificates.

Author: Marc Deslauriers
Revision Date: 2012-03-23 09:51:16 UTC

* debian/postinst: forcibly remove diginotar cert. It could be left
  behind under certain circumstances. (LP: #920758)
* debian/jks-keystore.hook: properly strip .pem extension from aliases.
  Also, look up and remove old incorrect aliases if necessary.
* debian/control: bump ca-certificates Build-Depends to latest security
  update to make sure we don't bundle old certificates.

Author: Gerfried Fuchs
Revision Date: 2012-03-06 13:32:11 UTC

* Backport to maverick, changes kept:
  - Switch to use ttf-droid instead of fonts-droid which is not available in
    maverick.

Author: Micah Gersten
Revision Date: 2012-03-13 00:31:49 UTC

* New upstream release v3.1.20 (THUNDERBIRD_3_1_20_BUILD1)
  - see LP: #953720 for USN information

Author: Melissa Draper
Revision Date: 2012-03-21 00:23:05 UTC

* SECURITY UPDATE: Fix default config for sites with multiple SAML instances
  - Default configuration changed to prevent impersonation (LP: #958841)
  - debian/patches/saml_multi_default_config.patch: upstream patch

Author: Scott Kitterman
Revision Date: 2012-03-14 07:44:11 UTC

Fix issues with false error generation due to CNAMES (LP: #954936

Author: Tyler Hicks
Revision Date: 2012-03-21 19:57:51 UTC

* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
    sanitization when parsing properties. Based on upstream patch.
  - CVE-2012-1126
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
    sanitization when parsing glyphs. Based on upstream patch.
  - CVE-2012-1127
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
    NULL pointer dereference. Based on upstream patch.
  - CVE-2012-1128
* SECURITY UPDATE: Denial of service via crafted Type42 font
  - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
    sanitization when parsing SFNT strings. Based on upstream patch.
  - CVE-2012-1129
* SECURITY UPDATE: Denial of service via crafted PCF font
  - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
    properly NULL-terminate parsed properties strings. Based on upstream
    patch.
  - CVE-2012-1130
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
    prevent integer truncation on 64 bit systems when rendering fonts. Based
    on upstream patch.
  - CVE-2012-1131
* SECURITY UPDATE: Denial of service via crafted Type1 font
  - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
    appropriate length when loading Type1 fonts. Based on upstream patch.
  - CVE-2012-1132
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted BDF font
  - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
    glyph encoding values to prevent invalid array indexes. Based on
    upstream patch.
  - CVE-2012-1133
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted Type1 font
  - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
    private dictionary size to prevent writing past array bounds. Based on
    upstream patch.
  - CVE-2012-1134
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
    checks when interpreting TrueType bytecode. Based on upstream patch.
  - CVE-2012-1135
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted BDF font
  - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
    defined when parsing glyphs. Based on upstream patch.
  - CVE-2012-1136
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
    of array elements to prevent reading past array bounds. Based on
    upstream patch.
  - CVE-2012-1137
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
    invalid read from wrong memory location. Based on upstream patch.
  - CVE-2012-1138
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
    prevent reading invalid memory. Based on upstream patch.
  - CVE-2012-1139
* SECURITY UPDATE: Denial of service via crafted PostScript font
  - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
    boundary checks. Based on upstream patch.
  - CVE-2012-1140
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
    to prevent invalid read. Based on upstream patch.
  - CVE-2012-1141
* SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
  - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
    on first and last character code fields. Based on upstream patch.
  - CVE-2012-1142
* SECURITY UPDATE: Denial of service via crafted font
  - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
    zero when dealing with 32 bit types. Based on upstream patch.
  - CVE-2012-1143
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted TrueType font
  - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
    on the first glyph outline point value. Based on upstream patch.
  - CVE-2012-1144

Author: Tyler Hicks
Revision Date: 2012-03-21 19:57:51 UTC

* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
    sanitization when parsing properties. Based on upstream patch.
  - CVE-2012-1126
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
    sanitization when parsing glyphs. Based on upstream patch.
  - CVE-2012-1127
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
    NULL pointer dereference. Based on upstream patch.
  - CVE-2012-1128
* SECURITY UPDATE: Denial of service via crafted Type42 font
  - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
    sanitization when parsing SFNT strings. Based on upstream patch.
  - CVE-2012-1129
* SECURITY UPDATE: Denial of service via crafted PCF font
  - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
    properly NULL-terminate parsed properties strings. Based on upstream
    patch.
  - CVE-2012-1130
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
    prevent integer truncation on 64 bit systems when rendering fonts. Based
    on upstream patch.
  - CVE-2012-1131
* SECURITY UPDATE: Denial of service via crafted Type1 font
  - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
    appropriate length when loading Type1 fonts. Based on upstream patch.
  - CVE-2012-1132
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted BDF font
  - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
    glyph encoding values to prevent invalid array indexes. Based on
    upstream patch.
  - CVE-2012-1133
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted Type1 font
  - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
    private dictionary size to prevent writing past array bounds. Based on
    upstream patch.
  - CVE-2012-1134
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
    checks when interpreting TrueType bytecode. Based on upstream patch.
  - CVE-2012-1135
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted BDF font
  - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
    defined when parsing glyphs. Based on upstream patch.
  - CVE-2012-1136
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
    of array elements to prevent reading past array bounds. Based on
    upstream patch.
  - CVE-2012-1137
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
    invalid read from wrong memory location. Based on upstream patch.
  - CVE-2012-1138
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
    prevent reading invalid memory. Based on upstream patch.
  - CVE-2012-1139
* SECURITY UPDATE: Denial of service via crafted PostScript font
  - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
    boundary checks. Based on upstream patch.
  - CVE-2012-1140
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
    to prevent invalid read. Based on upstream patch.
  - CVE-2012-1141
* SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
  - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
    on first and last character code fields. Based on upstream patch.
  - CVE-2012-1142
* SECURITY UPDATE: Denial of service via crafted font
  - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
    zero when dealing with 32 bit types. Based on upstream patch.
  - CVE-2012-1143
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted TrueType font
  - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
    on the first glyph outline point value. Based on upstream patch.
  - CVE-2012-1144

Author: Melissa Draper
Revision Date: 2012-03-21 00:23:05 UTC

* SECURITY UPDATE: Fix default config for sites with multiple SAML instances
  - Default configuration changed to prevent impersonation (LP: #958841)
  - debian/patches/saml_multi_default_config.patch: upstream patch

Author: Steve Beattie
Revision Date: 2012-03-19 15:35:51 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-03-19 15:35:51 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-03-19 15:28:36 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-03-19 15:28:36 UTC

fake sync from Debian

Author: Micah Gersten
Revision Date: 2012-03-13 01:15:10 UTC

* New upstream release v1.9.2.28 (FIREFOX_3_6_28_BUILD1)
  - see LP: #953736 for USN information

Author: Marc Deslauriers
Revision Date: 2012-03-16 11:03:44 UTC

This extension is incompatible with Firefox 11, and is causing the
browser to fail. Since the bookmarks sync feature is no longer
available in Ubuntu One, make this package empty until someone fixes
it. (LP: #957010)

Author: Marc Deslauriers
Revision Date: 2012-03-16 11:03:44 UTC

This extension is incompatible with Firefox 11, and is causing the
browser to fail. Since the bookmarks sync feature is no longer
available in Ubuntu One, make this package empty until someone fixes
it. (LP: #957010)

Author: Matthias Klose
Revision Date: 2012-03-08 20:44:24 UTC

Fix PR tree-optimization/52430, taken from the 4.4 branch. LP: #931637.

Author: Matthias Klose
Revision Date: 2012-03-08 20:44:24 UTC

Fix PR tree-optimization/52430, taken from the 4.4 branch. LP: #931637.

Author: Chris Coulson
Revision Date: 2012-03-10 19:25:32 UTC

* New upstream stable release (FIREFOX_11_0_BUILD1)
  - see LP: #951250 for USN information

* Rebuilt against updated gcc to fix LP: #931637
* Ensure that the crash reporter is disabled if rebuilt by Ubuntu
  derivatives, as there will be no crash symbols for those
  - update debian/rules
* Only add "Ubuntu" to the UA string when being built for Ubuntu
  - update debian/rules
* Temporarily disable ipdl tests due to build failures. These aren't
  enabled upstream, anyway
  - update debian/config/mozconfig.in
* Always set the update channel - not setting it at build-time on release
  builds breaks the extensions.checkCompatibility pref. The only things
  using it at runtime are nsBlocklistService, Test Pilot (beta + aurora)
  and the about dialog (where the channel is hidden anyway)
  - update debian/rules
  - update debian/firefox.install.in
* Fix LP: #898883 - IPC xpcshell tests hang the buildd's. Give all
  xpcshell tests an X display, as plugin-container won't work without one
  - update debian/build/testsuite.mk
* Turn on all IPC xpcshell tests again
  - update debian/build/testsute.mk
* Drop the default-apps xml file - there is already one provided by
  gnome-control-center, so ours duplicates this. We never used to install
  it for Firefox 3.6
  - remove debian/firefox.xml.in
  - update debian/firefox-gnome-support.install.in
  - update debian/rules
* Ship Test Pilot as a distribution addon, like upstream. This means
  that the addon manager can update it. It does also mean that it will
  remain installed in users profiles if they try the beta or aurora
  builds, but the Feedback button is disabled on release builds
  - update debian/firefox.install.in
  - fixes LP: #913357
* Drop patches fixed upstream
  - remove debian/patches/fix-cursor-handling.patch
  - update debian/patches/series
* Call xvfb-run with "-a" in case there are other servers running on the
  builder
  - update debian/build/testsuite.mk
* Really fix LP: #898883 - IPC xpcshell tests hang the build. What was
  actually happening is plugin-container would fail to start because all
  available X connections had been used up by many instances of dbus-launch,
  spawned each time an xpcshell tried to talk to the session bus. Because
  we run all of the xpcshell tests with one Xvfb instance, the buses
  accumulate until the available X connections all run out. To fix this, run
  all tests requiring a display inside dbus-launch, so we create just a
  single bus for all xpcshell tests
  - update debian/build/testsuite.mk
  - update debian/control{,.in}
* Add Ligurian to locale blacklist, as we don't support this in Ubuntu
  - update debian/config/locales.blacklist
* Fix LP: #918763 - Revert the temporary investigation patch for
  bmo: #621446, as it breaks GCC4.4
  - add debian/patches/revert-bmo621446-investigation.patch
  - update debian/patches/series
* Refresh patches
  - update debian/patches/ubuntu-ua-string-changes.patch
  - update debian/patches/mozilla-kde.patch
  - update debian/patches/firefox-kde.patch
* Fix LP: #915895 - Just set autoDisableScopes to 0. Other distributions
  are already doing this, and we already made this feature pretty much
  useless by allowing extensions in the application directory, so that our
  language packs aren't disabled by default
  - update debian/vendor.js
* Drop the solid white separators from the addressbar autocomplete dropdown,
  and increase padding so that it doesn't look so bad with dark themes
  - add debian/patches/autocomplete-theme-tweak.patch
  - update debian/patches/series
* Fix LP: #926495 - Add patch based on one from bmo: #691898 to enable
  building on ppc again
  - add debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series
* Fix LP: #926495 - Disable the SPS profiler on unsupported architectures
  - add debian/patches/no-sps-profiler-on-unsupported-archs.patch
  - update debian/patches/series
* Add a missing include in gfx/angle/src/compiler/Types.h (backported
  from Aurora)
  - add debian/patches/fix-missing-stl-include-in-angle.patch
  - update debian/patches/series

Author: Chris Coulson
Revision Date: 2012-03-02 22:47:21 UTC

* New upstream release.
  - Drop Ask.com searchplugin
  - LP: #951250
* Refresh debian/patches/addon_installer.patch
* Move back out of the application directory now that LP: #915895 is fixed.
  The original solution didn't really make much sense
  - update debian/rules

Author: Adam Conrad
Revision Date: 2012-03-14 20:32:04 UTC

Update VMware View Client entry to remove "Tech Preview" (LP: #950993)

Author: Scott Kitterman
Revision Date: 2012-03-14 07:44:11 UTC

Fix issues with false error generation due to CNAMES (LP: #954936

Author: Adam Conrad
Revision Date: 2012-03-14 20:32:04 UTC

Update VMware View Client entry to remove "Tech Preview" (LP: #950993)

Author: Scott Moser
Revision Date: 2012-03-14 18:54:23 UTC

fix typo in postinst causing pipelining to run more than desired

Author: Marc Deslauriers
Revision Date: 2012-03-12 11:16:50 UTC

* SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
  - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
    instead of spaces. Thanks to Martin Pitt for the fix.
  - Thanks to Ryan Lortie for reporting this issue.
  - CVE-2012-0943

Author: Micah Gersten
Revision Date: 2012-03-13 01:15:10 UTC

* New upstream release v1.9.2.28 (FIREFOX_3_6_28_BUILD1)
  - see LP: #953736 for USN information

Author: Micah Gersten
Revision Date: 2012-03-13 00:31:49 UTC

* New upstream release v3.1.20 (THUNDERBIRD_3_1_20_BUILD1)
  - see LP: #953720 for USN information

Author: Marc Deslauriers
Revision Date: 2012-03-12 11:16:50 UTC

* SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
  - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
    instead of spaces. Thanks to Martin Pitt for the fix.
  - Thanks to Ryan Lortie for reporting this issue.
  - CVE-2012-0943

Author: Max Bowsher
Revision Date: 2012-03-11 22:47:56 UTC

For maverick and earlier, generate a C.UTF-8 locale before using it to run
the tests.

Author: Chris Coulson
Revision Date: 2012-03-10 19:25:32 UTC

* New upstream stable release (FIREFOX_11_0_BUILD1)
  - see LP: #951250 for USN information

* Rebuilt against updated gcc to fix LP: #931637
* Ensure that the crash reporter is disabled if rebuilt by Ubuntu
  derivatives, as there will be no crash symbols for those
  - update debian/rules
* Only add "Ubuntu" to the UA string when being built for Ubuntu
  - update debian/rules
* Temporarily disable ipdl tests due to build failures. These aren't
  enabled upstream, anyway
  - update debian/config/mozconfig.in
* Always set the update channel - not setting it at build-time on release
  builds breaks the extensions.checkCompatibility pref. The only things
  using it at runtime are nsBlocklistService, Test Pilot (beta + aurora)
  and the about dialog (where the channel is hidden anyway)
  - update debian/rules
  - update debian/firefox.install.in
* Fix LP: #898883 - IPC xpcshell tests hang the buildd's. Give all
  xpcshell tests an X display, as plugin-container won't work without one
  - update debian/build/testsuite.mk
* Turn on all IPC xpcshell tests again
  - update debian/build/testsute.mk
* Drop the default-apps xml file - there is already one provided by
  gnome-control-center, so ours duplicates this. We never used to install
  it for Firefox 3.6
  - remove debian/firefox.xml.in
  - update debian/firefox-gnome-support.install.in
  - update debian/rules
* Ship Test Pilot as a distribution addon, like upstream. This means
  that the addon manager can update it. It does also mean that it will
  remain installed in users profiles if they try the beta or aurora
  builds, but the Feedback button is disabled on release builds
  - update debian/firefox.install.in
  - fixes LP: #913357
* Drop patches fixed upstream
  - remove debian/patches/fix-cursor-handling.patch
  - update debian/patches/series
* Call xvfb-run with "-a" in case there are other servers running on the
  builder
  - update debian/build/testsuite.mk
* Really fix LP: #898883 - IPC xpcshell tests hang the build. What was
  actually happening is plugin-container would fail to start because all
  available X connections had been used up by many instances of dbus-launch,
  spawned each time an xpcshell tried to talk to the session bus. Because
  we run all of the xpcshell tests with one Xvfb instance, the buses
  accumulate until the available X connections all run out. To fix this, run
  all tests requiring a display inside dbus-launch, so we create just a
  single bus for all xpcshell tests
  - update debian/build/testsuite.mk
  - update debian/control{,.in}
* Add Ligurian to locale blacklist, as we don't support this in Ubuntu
  - update debian/config/locales.blacklist
* Fix LP: #918763 - Revert the temporary investigation patch for
  bmo: #621446, as it breaks GCC4.4
  - add debian/patches/revert-bmo621446-investigation.patch
  - update debian/patches/series
* Refresh patches
  - update debian/patches/ubuntu-ua-string-changes.patch
  - update debian/patches/mozilla-kde.patch
  - update debian/patches/firefox-kde.patch
* Fix LP: #915895 - Just set autoDisableScopes to 0. Other distributions
  are already doing this, and we already made this feature pretty much
  useless by allowing extensions in the application directory, so that our
  language packs aren't disabled by default
  - update debian/vendor.js
* Drop the solid white separators from the addressbar autocomplete dropdown,
  and increase padding so that it doesn't look so bad with dark themes
  - add debian/patches/autocomplete-theme-tweak.patch
  - update debian/patches/series
* Fix LP: #926495 - Add patch based on one from bmo: #691898 to enable
  building on ppc again
  - add debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series
* Fix LP: #926495 - Disable the SPS profiler on unsupported architectures
  - add debian/patches/no-sps-profiler-on-unsupported-archs.patch
  - update debian/patches/series
* Add a missing include in gfx/angle/src/compiler/Types.h (backported
  from Aurora)
  - add debian/patches/fix-missing-stl-include-in-angle.patch
  - update debian/patches/series

Author: Tyler Hicks
Revision Date: 2012-03-09 14:38:28 UTC

fake sync from Debian

Author: Tyler Hicks
Revision Date: 2012-03-09 14:38:28 UTC

fake sync from Debian

Author: Micah Gersten
Revision Date: 2012-03-09 17:35:50 UTC

Automated backport upload; no source changes.

Author: Martin Pitt
Revision Date: 2012-03-09 08:47:09 UTC

* New upstream release 2012b:
  - Update DST rules for Chile (LP: #948328), Armenia, Samoa, Cuba,
    Falkland.
  - Fix historic DST rules for Canada.
  - Add leap seconds for June 2012.

Author: Marc Deslauriers
Revision Date: 2012-03-08 09:11:03 UTC

* SECURITY UPDATE: possible code execution via double-free (LP: #949218)
  - PAMmodule.c: prevent double free in PyPAM_conv().
  - Thanks to Markus Vervier for the notification and the patch.
  - CVE-2012-1502

Author: Marc Deslauriers
Revision Date: 2012-03-08 09:11:03 UTC

* SECURITY UPDATE: possible code execution via double-free (LP: #949218)
  - PAMmodule.c: prevent double free in PyPAM_conv().
  - Thanks to Markus Vervier for the notification and the patch.
  - CVE-2012-1502

Author: Tyler Hicks
Revision Date: 2012-03-07 14:11:19 UTC

fake sync from Debian

Author: Tyler Hicks
Revision Date: 2012-03-07 14:11:19 UTC

fake sync from Debian

Author: Herton R. Krzesinski
Revision Date: 2012-03-07 15:44:26 UTC

linux-mvl-dove 2.6.32-424.43

Author: Steve Beattie
Revision Date: 2012-03-06 12:12:55 UTC

* SECURITY UPDATE: timezone header parsing integer overflow (LP: #906961)
  - debian/patches/any/glibc-CVE-2009-5029.patch: Check values from
    TZ file header
  - CVE-2009-5029
* SECURITY UPDATE: memory consumption denial of service in fnmatch
  - debian/patches/any/glibc-CVE-2011-1071.patch: avoid too much
    stack use in fnmatch.
  - CVE-2011-1071
* SECURITY UPDATE: /etc/mtab corruption denial of service
  - debian/patches/any/glibc-CVE-2011-1089.patch: Report write
    error in addmnt even for cached streams
  - CVE-2011-1089
* SECURITY UPDATE: insufficient locale environment sanitization
  - debian/patches/any/glibc-CVE-2011-1095.patch: escape contents of
    LANG environment variable.
  - CVE-2011-1095
* SECURITY UPDATE: ld.so insecure handling of privileged programs'
  RPATHs with $ORIGIN
  - debian/patches/any/glibc-CVE-2011-1658.patch: improve handling of
    RPATH and ORIGIN
  - CVE-2011-1658
* SECURITY UPDATE: fnmatch integer overflow
  - debian/patches/any/glibc-CVE-2011-1659.patch: check size of
    pattern in wide character representation
  - CVE-2011-1659
* SECURITY UPDATE: DoS in RPC implementation (LP: #901716)
  - debian/patches/any/glibc-CVE-2011-4609.patch: nanosleep when too
    many open fds is detected
  - CVE-2011-4609
* SECURITY UPDATE: vfprintf nargs overflow leading to FORTIFY
  check bypass
  - debian/patches/any/glibc-CVE-2012-0864.patch: check for integer
    overflow
  - CVE-2012-0864

Author: Stefano Rivera
Revision Date: 2011-10-28 21:07:03 UTC

No-change rebuild for R 2.11.1 (LP: #883204)

Author: Chris Coulson
Revision Date: 2012-03-02 22:47:21 UTC

* New upstream release.
  - Drop Ask.com searchplugin
  - LP: #951250
* Refresh debian/patches/addon_installer.patch
* Move back out of the application directory now that LP: #915895 is fixed.
  The original solution didn't really make much sense
  - update debian/rules

Author: Marc Deslauriers
Revision Date: 2012-02-22 14:16:05 UTC

* SECURITY UPDATE: Update to 5.1.61 to fix multiple security issues
  (LP: #937869)
  - http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
  - CVE-2011-2262
  - CVE-2012-0075
  - CVE-2012-0112
  - CVE-2012-0113
  - CVE-2012-0114
  - CVE-2012-0115
  - CVE-2012-0116
  - CVE-2012-0117
  - CVE-2012-0118
  - CVE-2012-0119
  - CVE-2012-0120
  - CVE-2012-0484
  - CVE-2012-0485
  - CVE-2012-0486
  - CVE-2012-0487
  - CVE-2012-0488
  - CVE-2012-0489
  - CVE-2012-0490
  - CVE-2012-0491
  - CVE-2012-0492
  - CVE-2012-0493
  - CVE-2012-0494
  - CVE-2012-0495
  - CVE-2012-0496
* Dropped patches unnecessary with 5.1.61:
  - debian/patches/61_CVE-2010-3833.dpatch
  - debian/patches/61_CVE-2010-3834.dpatch
  - debian/patches/61_CVE-2010-3835.dpatch
  - debian/patches/61_CVE-2010-3836.dpatch
  - debian/patches/61_CVE-2010-3837.dpatch
  - debian/patches/61_CVE-2010-3838.dpatch
  - debian/patches/61_CVE-2010-3839.dpatch
  - debian/patches/61_CVE-2010-3840.dpatch
  - debian/patches/60_abi-check-include.dpatch
  - debian/patches/62_disable_longfilename_test.dpatch
  - debian/patches/90_fix_testsuite_for_installed_env.dpatch
* debian/mysql-client-5.1.docs: removed EXCEPTIONS-CLIENT file
* debian/mysql-server-5.1.docs,debian/libmysqlclient16.docs,
  debian/libmysqlclient-dev.docs: removed, no longer necessary.

Author: Chris J Arges
Revision Date: 2012-01-18 15:32:08 UTC

* Backport changes to fix kdump functionality. LP: #828731.
  - debian/kdump.initramfs: call /usr/bin/makedumpfile via a chroot command,
    so that if makedumpfile is statically linked, we get proper library
    resolution. Thanks to Louis Bouchard <louis.bouchard@canonical.com> for
    the patch. LP: #785425.
  - debian/kdump.initramfs: handle the possibility that /usr, /boot, or
    /var is on a separate filesystem and needs to be manually mounted before
    calling makedumpfile. LP: #828731.
  - Depend on makedumpfile, without which the initramfs script doesn't work.
  - Fix an unnecessary bashism.
  - Only install the kdump initramfs script and depend on makedumpfile on
    architectures that makedumpfile supports.

Author: Martin Pitt
Revision Date: 2012-02-27 15:13:58 UTC

* New upstream bug fix/security release: (LP: #941912)
  - Require execute permission on the trigger function for "CREATE
    TRIGGER".
    This missing check could allow another user to execute a trigger
    function with forged input data, by installing it on a table he
    owns. This is only of significance for trigger functions marked
    SECURITY DEFINER, since otherwise trigger functions run as the
    table owner anyway. (CVE-2012-0866)
  - Remove arbitrary limitation on length of common name in SSL
    certificates.
    Both libpq and the server truncated the common name extracted from
    an SSL certificate at 32 bytes. Normally this would cause nothing
    worse than an unexpected verification failure, but there are some
    rather-implausible scenarios in which it might allow one
    certificate holder to impersonate another. The victim would have to
    have a common name exactly 32 bytes long, and the attacker would
    have to persuade a trusted CA to issue a certificate in which the
    common name has that string as a prefix. Impersonating a server
    would also require some additional exploit to redirect client
    connections. (CVE-2012-0867)
  - Convert newlines to spaces in names written in pg_dump comments.
    pg_dump was incautious about sanitizing object names that are
    emitted within SQL comments in its output script. A name containing
    a newline would at least render the script syntactically incorrect.
    Maliciously crafted object names could present a SQL injection risk
    when the script is reloaded. (CVE-2012-0868)
  - Fix btree index corruption from insertions concurrent with
    vacuuming.
    An index page split caused by an insertion could sometimes cause a
    concurrently-running "VACUUM" to miss removing index entries that
    it should remove. After the corresponding table rows are removed,
    the dangling index entries would cause errors (such as "could not
    read block N in file ...") or worse, silently wrong query results
    after unrelated rows are re-inserted at the now-free table
    locations. This bug has been present since release 8.2, but occurs
    so infrequently that it was not diagnosed until now. If you have
    reason to suspect that it has happened in your database, reindexing
    the affected index will fix things.
  - Update per-column permissions, not only per-table permissions, when
    changing table owner.
    Failure to do this meant that any previously granted column
    permissions were still shown as having been granted by the old
    owner. This meant that neither the new owner nor a superuser could
    revoke the now-untraceable-to-table-owner permissions.
  - Allow non-existent values for some settings in "ALTER USER/DATABASE
    SET".
    Allow default_text_search_config, default_tablespace, and
    temp_tablespaces to be set to names that are not known. This is
    because they might be known in another database where the setting
    is intended to be used, or for the tablespace cases because the
    tablespace might not be created yet. The same issue was previously
    recognized for search_path, and these settings now act like that
    one.
  - Avoid crashing when we have problems deleting table files
    post-commit.
    Dropping a table should lead to deleting the underlying disk files
    only after the transaction commits. In event of failure then (for
    instance, because of wrong file permissions) the code is supposed
    to just emit a warning message and go on, since it's too late to
    abort the transaction. This logic got broken as of release 8.4,
    causing such situations to result in a PANIC and an unrestartable
    database.
  - Track the OID counter correctly during WAL replay, even when it
    wraps around.
    Previously the OID counter would remain stuck at a high value until
    the system exited replay mode. The practical consequences of that
    are usually nil, but there are scenarios wherein a standby server
    that's been promoted to master might take a long time to advance
    the OID counter to a reasonable value once values are needed.
  - Fix regular expression back-references with - attached.
    Rather than enforcing an exact string match, the code would
    effectively accept any string that satisfies the pattern
    sub-expression referenced by the back-reference symbol.
    A similar problem still afflicts back-references that are embedded
    in a larger quantified expression, rather than being the immediate
    subject of the quantifier. This will be addressed in a future
    PostgreSQL release.
  - Fix recently-introduced memory leak in processing of inet/cidr
    values.
  - Fix dangling pointer after "CREATE TABLE AS"/"SELECT INTO" in a
    SQL-language function.
    In most cases this only led to an assertion failure in
    assert-enabled builds, but worse consequences seem possible.
  - Fix I/O-conversion-related memory leaks in plpgsql.
  - Improve pg_dump's handling of inherited table columns.
    pg_dump mishandled situations where a child column has a different
    default expression than its parent column. If the default is
    textually identical to the parent's default, but not actually the
    same (for instance, because of schema search path differences) it
    would not be recognized as different, so that after dump and
    restore the child would be allowed to inherit the parent's default.
    Child columns that are NOT NULL where their parent is not could
    also be restored subtly incorrectly.
  - Fix pg_restore's direct-to-database mode for INSERT-style table
    data.
    Direct-to-database restores from archive files made with
    "--inserts" or "--column-inserts" options fail when using
    pg_restore from a release dated September or December 2011, as a
    result of an oversight in a fix for another problem. The archive
    file itself is not at fault, and text-mode output is okay.
  - Allow AT option in ecpg DEALLOCATE statements.
    The infrastructure to support this has been there for awhile, but
    through an oversight there was still an error check rejecting the
    case.
  - Fix error in "contrib/intarray"'s int[] & int[] operator.
    If the smallest integer the two input arrays have in common is 1,
    and there are smaller values in either array, then 1 would be
    incorrectly omitted from the result.
  - Fix error detection in "contrib/pgcrypto"'s encrypt_iv() and
    decrypt_iv().
    These functions failed to report certain types of invalid-input
    errors, and would instead return random garbage values for
    incorrect input.
  - Fix one-byte buffer overrun in "contrib/test_parser".
    The code would try to read one more byte than it should, which
    would crash in corner cases. Since "contrib/test_parser" is only
    example code, this is not a security issue in itself, but bad
    example code is still bad.
  - Use __sync_lock_test_and_set() for spinlocks on ARM, if available.
    This function replaces our previous use of the SWPB instruction,
    which is deprecated and not available on ARMv6 and later. Reports
    suggest that the old code doesn't fail in an obvious way on recent
    ARM boards, but simply doesn't interlock concurrent accesses,
    leading to bizarre failures in multiprocess operation.
  - Use "-fexcess-precision=standard" option when building with gcc
    versions that accept it.
    This prevents assorted scenarios wherein recent versions of gcc
    will produce creative results.
  - Allow use of threaded Python on FreeBSD.
    Our configure script previously believed that this combination
    wouldn't work; but FreeBSD fixed the problem, so remove that error
    check.
* Drop 00git_inet_cidr_unpack.patch, 04-armel-tas.patch: applied upstream.

Author: Herton R. Krzesinski
Revision Date: 2012-02-28 14:33:28 UTC

[Herton R. Krzesinski]

* Release Tracking Bug
  - LP: #942766

[ Paolo Pisati ]

* [Config] Move to a 3G/1G memory split
  - LP: #861296

Author: Herton R. Krzesinski
Revision Date: 2012-02-28 14:33:28 UTC

[Herton R. Krzesinski]

* Release Tracking Bug
  - LP: #942766

[ Paolo Pisati ]

* [Config] Move to a 3G/1G memory split
  - LP: #861296

Author: Martin Pitt
Revision Date: 2012-02-27 15:13:58 UTC

* New upstream bug fix/security release: (LP: #941912)
  - Require execute permission on the trigger function for "CREATE
    TRIGGER".
    This missing check could allow another user to execute a trigger
    function with forged input data, by installing it on a table he
    owns. This is only of significance for trigger functions marked
    SECURITY DEFINER, since otherwise trigger functions run as the
    table owner anyway. (CVE-2012-0866)
  - Remove arbitrary limitation on length of common name in SSL
    certificates.
    Both libpq and the server truncated the common name extracted from
    an SSL certificate at 32 bytes. Normally this would cause nothing
    worse than an unexpected verification failure, but there are some
    rather-implausible scenarios in which it might allow one
    certificate holder to impersonate another. The victim would have to
    have a common name exactly 32 bytes long, and the attacker would
    have to persuade a trusted CA to issue a certificate in which the
    common name has that string as a prefix. Impersonating a server
    would also require some additional exploit to redirect client
    connections. (CVE-2012-0867)
  - Convert newlines to spaces in names written in pg_dump comments.
    pg_dump was incautious about sanitizing object names that are
    emitted within SQL comments in its output script. A name containing
    a newline would at least render the script syntactically incorrect.
    Maliciously crafted object names could present a SQL injection risk
    when the script is reloaded. (CVE-2012-0868)
  - Fix btree index corruption from insertions concurrent with
    vacuuming.
    An index page split caused by an insertion could sometimes cause a
    concurrently-running "VACUUM" to miss removing index entries that
    it should remove. After the corresponding table rows are removed,
    the dangling index entries would cause errors (such as "could not
    read block N in file ...") or worse, silently wrong query results
    after unrelated rows are re-inserted at the now-free table
    locations. This bug has been present since release 8.2, but occurs
    so infrequently that it was not diagnosed until now. If you have
    reason to suspect that it has happened in your database, reindexing
    the affected index will fix things.
  - Update per-column permissions, not only per-table permissions, when
    changing table owner.
    Failure to do this meant that any previously granted column
    permissions were still shown as having been granted by the old
    owner. This meant that neither the new owner nor a superuser could
    revoke the now-untraceable-to-table-owner permissions.
  - Allow non-existent values for some settings in "ALTER USER/DATABASE
    SET".
    Allow default_text_search_config, default_tablespace, and
    temp_tablespaces to be set to names that are not known. This is
    because they might be known in another database where the setting
    is intended to be used, or for the tablespace cases because the
    tablespace might not be created yet. The same issue was previously
    recognized for search_path, and these settings now act like that
    one.
  - Avoid crashing when we have problems deleting table files
    post-commit.
    Dropping a table should lead to deleting the underlying disk files
    only after the transaction commits. In event of failure then (for
    instance, because of wrong file permissions) the code is supposed
    to just emit a warning message and go on, since it's too late to
    abort the transaction. This logic got broken as of release 8.4,
    causing such situations to result in a PANIC and an unrestartable
    database.
  - Track the OID counter correctly during WAL replay, even when it
    wraps around.
    Previously the OID counter would remain stuck at a high value until
    the system exited replay mode. The practical consequences of that
    are usually nil, but there are scenarios wherein a standby server
    that's been promoted to master might take a long time to advance
    the OID counter to a reasonable value once values are needed.
  - Fix regular expression back-references with - attached.
    Rather than enforcing an exact string match, the code would
    effectively accept any string that satisfies the pattern
    sub-expression referenced by the back-reference symbol.
    A similar problem still afflicts back-references that are embedded
    in a larger quantified expression, rather than being the immediate
    subject of the quantifier. This will be addressed in a future
    PostgreSQL release.
  - Fix recently-introduced memory leak in processing of inet/cidr
    values.
  - Fix dangling pointer after "CREATE TABLE AS"/"SELECT INTO" in a
    SQL-language function.
    In most cases this only led to an assertion failure in
    assert-enabled builds, but worse consequences seem possible.
  - Fix I/O-conversion-related memory leaks in plpgsql.
  - Improve pg_dump's handling of inherited table columns.
    pg_dump mishandled situations where a child column has a different
    default expression than its parent column. If the default is
    textually identical to the parent's default, but not actually the
    same (for instance, because of schema search path differences) it
    would not be recognized as different, so that after dump and
    restore the child would be allowed to inherit the parent's default.
    Child columns that are NOT NULL where their parent is not could
    also be restored subtly incorrectly.
  - Fix pg_restore's direct-to-database mode for INSERT-style table
    data.
    Direct-to-database restores from archive files made with
    "--inserts" or "--column-inserts" options fail when using
    pg_restore from a release dated September or December 2011, as a
    result of an oversight in a fix for another problem. The archive
    file itself is not at fault, and text-mode output is okay.
  - Allow AT option in ecpg DEALLOCATE statements.
    The infrastructure to support this has been there for awhile, but
    through an oversight there was still an error check rejecting the
    case.
  - Fix error in "contrib/intarray"'s int[] & int[] operator.
    If the smallest integer the two input arrays have in common is 1,
    and there are smaller values in either array, then 1 would be
    incorrectly omitted from the result.
  - Fix error detection in "contrib/pgcrypto"'s encrypt_iv() and
    decrypt_iv().
    These functions failed to report certain types of invalid-input
    errors, and would instead return random garbage values for
    incorrect input.
  - Fix one-byte buffer overrun in "contrib/test_parser".
    The code would try to read one more byte than it should, which
    would crash in corner cases. Since "contrib/test_parser" is only
    example code, this is not a security issue in itself, but bad
    example code is still bad.
  - Use __sync_lock_test_and_set() for spinlocks on ARM, if available.
    This function replaces our previous use of the SWPB instruction,
    which is deprecated and not available on ARMv6 and later. Reports
    suggest that the old code doesn't fail in an obvious way on recent
    ARM boards, but simply doesn't interlock concurrent accesses,
    leading to bizarre failures in multiprocess operation.
  - Use "-fexcess-precision=standard" option when building with gcc
    versions that accept it.
    This prevents assorted scenarios wherein recent versions of gcc
    will produce creative results.
  - Allow use of threaded Python on FreeBSD.
    Our configure script previously believed that this combination
    wouldn't work; but FreeBSD fixed the problem, so remove that error
    check.
* Drop 00git_inet_cidr_unpack.patch, 04-armel-tas.patch: applied upstream.