Branches for Natty

Author: Darryl L. Miles
Revision Date: 2015-06-02 17:16:38 UTC

maint/bzr_push.sh Auto copy, commit and push for: control.snapshot (ubuntu/natty)

Author: Andreas Hasenack
Revision Date: 2012-09-25 06:08:42 UTC

Added fix for lshw storm when the client was talking to an old
Landscape server which was then upgraded (LP: #1053057).

Author: Martin Pitt
Revision Date: 2012-04-16 09:55:53 UTC

Tracking bug: LP: #978884
* Warn on unicode entry into settings UI (LP: #956612).
* Sanitise hostname field in settings UI (LP: #954507).
* Make it clear that the Landscape service is commercial (LP: #965850)
* Further internationalize the settings UI (LP: #962899)
* Depend on python-aptdaemon.gtk3widgets instead of python-aptdaemon and
  replace dependency on python-gobject by python-gi (LP: #961894)
* Add i18n to the landscape-client-ui-install script. (LP: #961891)
* Fix default landscape hostname in glib schema.
* dpkg test improvements to fix intermittent failures.
* If ssl_public_key is supplied, use it also when fetching script
  attachments. This fixes the case of using script execution with
  attachments when the Landscape server is using a custom CA,
  most common in LDS deployments. (LP: #959846)
* Make sure we have a PATH variable set before doing package
  activities, and also set it in the initscript for good measure. If
  the client was configured and restarted by the new UI configuration
  tool, PATH wasn't set, triggering an error in dpkg. (LP: #961190)
* Make landscape-client-ui depend on landscape-client-ui-install, so
  that we get an entry in the system settings if just
  landscape-client-ui is installed. The actual entry comes from
  landscape-client-ui-install.
* Optimization: when adding binaries, don't reload every repo, only the one
  containing the binaries. (LP: #954822)
* Handle the case where the user clicks twice inadvertently on the
  Landscape icon in system settings and don't start a second copy of
  itself. (LP: #960211)
* Change package management features to use APT instead of Smart (LP: #856244,
  #861707, #859615, #861345, #863239, #863259, #865270, #865272, #865285,
  #865273, #871641, #865299, #873196, #873939, #876493, #881973, #882438,
  #866014, #881998, #884142, #884151, #884131, #887037, #886208, #887578,
  #887947, #889067, #889069, #889087, #889099, #865303, #889113, #890605,
  #890606, #890609, #897416, #891855, #898681, #898683, #897656, #898542,
  #862212, #903202, #914734, #914735, #914737, #916301, #915280, #914742,
  #918925, #918175, #919179, #921664, #921699, #922582, #922511, #921712,
  #928750, #932136, #928941, #937411, #937567, #925543, #947803, #952973,
  #948142, #953136, #953906, #956590).
* Add a GTK interface to configure the client (LP: #911279, #911666, #912163,
  #911665, #916300, #931937, #931937, #943622, #945025, #911279, #944652,
  #948464, #948416, #949158, #911671, #950864, #949208, #949147, #953070,
  #953292, #953463, #953034, #949200, #953026, #954499, #954516, #954285,
  #953065, #954414, #954332, #954542, #955966, #955139, #956030, #956119).
* Add the ability to auto discover the server location on local deployment
  (LP: #917422, #927620, #917422, #928585, #929087, #932325, #948564)
* Allow the client to accept arbitrary environment variables from the
  server for script execution (LP: #954999).
* Make landscape-config exit non-zero when registration fails and
  --ok-no-register is not passed (LP: #271759).
* Check for the content of /sys/bus/xen/devices to report a machine as a Xen
  VM instead of just relying on the existence of /sys/bus/xen (LP: #921970).
* Make sure cloud registration succeeds if there is no kernel specified in
  the meta-data service (LP: #920453).
* Report private and public IP adresses from the metadata service at cloud
  registration time (LP: #918366).
* Add support for reporting hardware information using lshw (LP: #899002,
  #943975, #955734).
* Add support for the new attachment service in script execution
  (LP: #893040).
* Adds a new message type, 'register-provisioned-machine', which is meant
  to register computers using an OTP (LP: #881405).
* Add local cloning option for load testing (LP: #872830, #925924).
* Add more variables to preseeding (LP: #863204, #867710).
* Allow the configuration of the ping interval (LP: #397884).
* Add fake package reporters for load testing purposes (LP: #821571,
  #821570).
* Report a package reporter error to the server if no APT sources are
  configured, to trigger a package reporter alert (LP: #823769).

Author: Martin Pitt
Revision Date: 2012-04-16 09:56:08 UTC

releasing version 12.04.3-0ubuntu0.11.04

Author: Maia Everett
Revision Date: 2011-06-04 15:11:46 UTC

* SRU: fix segfault on start. (LP: #733393)
* Add 06_adjust_to_new_compiz.patch, by David Foerster <malteworld@web.de>:
  port to the new compiz API. Fixes FTBFS. (LP: #749047)

Author: Steve Langasek
Revision Date: 2013-12-13 08:09:22 UTC

Branch fixup

Author: Gediminas Paulauskas
Revision Date: 2011-04-15 21:26:53 UTC

* debian/rules: do not mess with scripts, install only
  /usr/bin/zope-testrunner using default python.
* debian/test_helper: adapt to changed name of zope-testrunner, execute it
  with different python interpreters instead.
* debian/tests/all: use our own test_helper.

Author: Scott Moser
Revision Date: 2011-04-15 13:01:17 UTC

instead of including /boot/grub, create it in postinst
of grub-legacy-ec2.

Author: Steve Beattie
Revision Date: 2012-09-20 15:45:17 UTC

* SECURITY UPDATE: buffer overflow in vfprintf handling
  - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
    handling positional parameters in printf.
  - CVE-2012-3404
* SECURITY UPDATE: buffer overflow in vfprintf handling
  - debian/patches/any/CVE-2012-3405.patch: fix extension of array
  - CVE-2012-3405
* SECURITY UPDATE: stack buffer overflow in vfprintf handling
  (LP: #1031301)
  - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
    array grows too large to handle via alloca extension
  - CVE-2012-3406
* SECURITY UPDATE: stdlib strtod integer/buffer overflows
  - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
    and modify types to void integer overflows
  - CVE-2012-3480

Author: Didier Roche-Tolomelli
Revision Date: 2011-04-07 12:16:17 UTC

Rebuild against latest libunity (soname bump)

Author: Steve Beattie
Revision Date: 2012-09-20 15:45:17 UTC

* SECURITY UPDATE: buffer overflow in vfprintf handling
  - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
    handling positional parameters in printf.
  - CVE-2012-3404
* SECURITY UPDATE: buffer overflow in vfprintf handling
  - debian/patches/any/CVE-2012-3405.patch: fix extension of array
  - CVE-2012-3405
* SECURITY UPDATE: stack buffer overflow in vfprintf handling
  (LP: #1031301)
  - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
    array grows too large to handle via alloca extension
  - CVE-2012-3406
* SECURITY UPDATE: stdlib strtod integer/buffer overflows
  - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
    and modify types to void integer overflows
  - CVE-2012-3480

Author: Matthias Klose
Revision Date: 2011-04-26 12:43:58 UTC

  * Update to r13356 from the eglibc-2.13 branch.

Author: Jamie Strandboge
Revision Date: 2012-10-19 14:11:40 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-10-19 14:11:40 UTC

fake sync from Debian

Author: Scott Kitterman
Revision Date: 2012-10-08 18:11:31 UTC

Microversion update to latest clamav release for natty (LP: #1064096)

Author: Luke Faraone
Revision Date: 2011-07-05 16:04:32 UTC

No-change rebuild against latest abiword. (LP: #774017)

Author: Marc Deslauriers
Revision Date: 2012-10-25 08:29:01 UTC

* SECURITY UPDATE: arbitrary code execution via dns decode logic
  - debian/patches/CVE-2012-5671.patch: adjust max length and validate
    against it in src/pdkim/pdkim.h, src/dkim.c.
  - CVE-2012-5671

Author: Marc Deslauriers
Revision Date: 2012-10-25 08:29:01 UTC

* SECURITY UPDATE: arbitrary code execution via dns decode logic
  - debian/patches/CVE-2012-5671.patch: adjust max length and validate
    against it in src/pdkim/pdkim.h, src/dkim.c.
  - CVE-2012-5671

Author: Jamie Strandboge
Revision Date: 2012-10-23 10:55:06 UTC

* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.diff: fix vulnerability in the utf-16
    decoder after error handling
  - CVE-2012-2135

Author: Jamie Strandboge
Revision Date: 2012-10-23 10:55:06 UTC

* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.diff: fix vulnerability in the utf-16
    decoder after error handling
  - CVE-2012-2135

Author: Jamie Strandboge
Revision Date: 2012-10-19 22:07:38 UTC

* SECURITY UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.diff: fix vulnerability in the utf-16
    decoder after error handling
  - CVE-2012-2135

Author: Jamie Strandboge
Revision Date: 2012-10-19 22:07:38 UTC

* SECURITY UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.diff: fix vulnerability in the utf-16
    decoder after error handling
  - CVE-2012-2135

Author: Jamie Strandboge
Revision Date: 2012-09-28 07:07:08 UTC

* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: Fix CGIHTTPServer information disclosure.
  - debian/patches/CVE-2011-1015.diff: Relative paths are now collapsed
    within the url properly before looking in cgi_directories.
  - CVE-2011-1015
* SECURITY UPDATE: fix XSS in SimpleHTTPServer
  - debian/patches/CVE-2011-4940.diff: add a charset parameter to the
    Content-type
  - CVE-2011-4940
* SECURITY UPDATE: update urllib and urllib2 for invalid redirections
  - debian/patches/CVE-2011-1521.diff: only process Location headers for
    http, https, and ftp
  - http://bugs.python.org/issue11662
  - CVE-2011-1521

Author: Tyler Hicks
Revision Date: 2012-09-27 21:13:08 UTC

* SECURITY UPDATE: Privilege escalation via malicious environment variable
  - debian/patches/07-CVE_2011_2709.patch: Only read the GSSAPI_MECH_CONF
    environment variable in non-setuid situations. Based on upstream patch.
  - CVE-2011-2709

Author: Tyler Hicks
Revision Date: 2012-09-27 21:13:08 UTC

* SECURITY UPDATE: Privilege escalation via malicious environment variable
  - debian/patches/07-CVE_2011_2709.patch: Only read the GSSAPI_MECH_CONF
    environment variable in non-setuid situations. Based on upstream patch.
  - CVE-2011-2709

Author: Micah Gersten
Revision Date: 2012-10-14 20:55:31 UTC

No-change backport to natty (LP: #1063688)

Author: Chris Coulson
Revision Date: 2012-09-03 14:00:01 UTC

* New upstream stable release to support Thunderbird 16 (CALENDAR_1_8_BUILD1)
  - LP: #1062587

* Add extra Makefiles that are needed for the build
  - update debian/rules

Author: Chris Coulson
Revision Date: 2012-09-03 14:00:01 UTC

* New upstream stable release to support Thunderbird 16 (CALENDAR_1_8_BUILD1)
  - LP: #1062587

* Add extra Makefiles that are needed for the build
  - update debian/rules

Author: Chris Coulson
Revision Date: 2012-09-26 13:42:31 UTC

* New upstream release v1.4.5 to support Thunderbird 16
  - LP: #1062587

* Add patch to set the correct version number. The version was not changed
  from 1.5a1pre to 1.4.5 when the tarball was built from rev 24e938
  - add debian/patches/correct-version-number.diff
  - update debian/patches/series

Author: Scott Kitterman
Revision Date: 2012-10-08 18:11:31 UTC

Microversion update to latest clamav release for natty (LP: #1064096)

Author: Marc Deslauriers
Revision Date: 2012-10-10 10:20:46 UTC

* SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
  - debian/patches/CVE-2011-1058.patch: remove javascript support in
    MoinMoin/parser/text_rst.py.
  - CVE-2011-1058
* SECURITY UPDATE: incorrect permissions due to broken virtual group
  names handling
  - debian/patches/CVE-2012-4404.patch: fix group test in
    MoinMoin/security/__init__.py, added test in
    MoinMoin/security/_tests/test_security.py.
  - CVE-2012-4404

Author: Marc Deslauriers
Revision Date: 2012-10-10 10:20:46 UTC

* SECURITY UPDATE: cross-site scripting issue in reStructuredText parser
  - debian/patches/CVE-2011-1058.patch: remove javascript support in
    MoinMoin/parser/text_rst.py.
  - CVE-2011-1058
* SECURITY UPDATE: incorrect permissions due to broken virtual group
  names handling
  - debian/patches/CVE-2012-4404.patch: fix group test in
    MoinMoin/security/__init__.py, added test in
    MoinMoin/security/_tests/test_security.py.
  - CVE-2012-4404

Author: Marc Deslauriers
Revision Date: 2012-10-05 10:53:14 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Marc Deslauriers
Revision Date: 2012-10-05 10:53:14 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Jamie Strandboge
Revision Date: 2012-09-28 07:07:08 UTC

* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: Fix CGIHTTPServer information disclosure.
  - debian/patches/CVE-2011-1015.diff: Relative paths are now collapsed
    within the url properly before looking in cgi_directories.
  - CVE-2011-1015
* SECURITY UPDATE: fix XSS in SimpleHTTPServer
  - debian/patches/CVE-2011-4940.diff: add a charset parameter to the
    Content-type
  - CVE-2011-4940
* SECURITY UPDATE: update urllib and urllib2 for invalid redirections
  - debian/patches/CVE-2011-1521.diff: only process Location headers for
    http, https, and ftp
  - http://bugs.python.org/issue11662
  - CVE-2011-1521

Author: Marc Deslauriers
Revision Date: 2012-09-28 15:25:53 UTC

* SECURITY UPDATE: information disclosure via generate-id XPath function
  - libxslt/functions.c: do not expose object addresses directly.
  - ecb6bcb8d1b7e44842edde3929f412d46b40c89f
  - CVE-2011-1202
* SECURITY UPDATE: denial of service via out-of-bounds read
  - libxslt/pattern.c: fix improper loop exit.
  - fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
  - CVE-2011-3970
* SECURITY UPDATE: denial of service via out-of-bounds read
  - libxslt/xsltutils.h: check for XML_ELEMENT_NODE
  - e6a0bc8081271f33b9899eb78e1da1a2a0428419
  - CVE-2012-2825
* SECURITY UPDATE: denial of service via crafted XSLT expression
  - harden code in libexslt/functions.c, libxslt/attributes.c,
    libxslt/functions.c, libxslt/pattern.c, libxslt/preproc.c,
    libxslt/templates.c, libxslt/transform.c, libxslt/variables.c,
    libxslt/xslt.c, libxslt/xsltutils.c.
  - 8566ab4a10158d195adb5f1f61afe1ee8bfebd12
  - 4da0f7e207f14a03daad4663865c285eb27f93e9
  - 24653072221e76d2f1f06aa71225229b532f8946
  - 1564b30e994602a95863d9716be83612580a2fed
  - CVE-2012-2870
* SECURITY UPDATE: denial of service and possible code execution during
  handling of XSL transforms
  - libxslt/transform.c: check for XML_NAMESPACE_DECL
  - 937ba2a3eb42d288f53c8adc211bd1122869f0bf
  - CVE-2012-2871
* SECURITY UPDATE: denial of service and possible code execution via
  double free during XSL transforms
  - libxslt/templates.c: Fix dictionary string usage
  - 54977ed7966847e305a2008cb18892df26eeb065
  - CVE-2012-2893

Author: Marc Deslauriers
Revision Date: 2012-09-28 15:25:53 UTC

* SECURITY UPDATE: information disclosure via generate-id XPath function
  - libxslt/functions.c: do not expose object addresses directly.
  - ecb6bcb8d1b7e44842edde3929f412d46b40c89f
  - CVE-2011-1202
* SECURITY UPDATE: denial of service via out-of-bounds read
  - libxslt/pattern.c: fix improper loop exit.
  - fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
  - CVE-2011-3970
* SECURITY UPDATE: denial of service via out-of-bounds read
  - libxslt/xsltutils.h: check for XML_ELEMENT_NODE
  - e6a0bc8081271f33b9899eb78e1da1a2a0428419
  - CVE-2012-2825
* SECURITY UPDATE: denial of service via crafted XSLT expression
  - harden code in libexslt/functions.c, libxslt/attributes.c,
    libxslt/functions.c, libxslt/pattern.c, libxslt/preproc.c,
    libxslt/templates.c, libxslt/transform.c, libxslt/variables.c,
    libxslt/xslt.c, libxslt/xsltutils.c.
  - 8566ab4a10158d195adb5f1f61afe1ee8bfebd12
  - 4da0f7e207f14a03daad4663865c285eb27f93e9
  - 24653072221e76d2f1f06aa71225229b532f8946
  - 1564b30e994602a95863d9716be83612580a2fed
  - CVE-2012-2870
* SECURITY UPDATE: denial of service and possible code execution during
  handling of XSL transforms
  - libxslt/transform.c: check for XML_NAMESPACE_DECL
  - 937ba2a3eb42d288f53c8adc211bd1122869f0bf
  - CVE-2012-2871
* SECURITY UPDATE: denial of service and possible code execution via
  double free during XSL transforms
  - libxslt/templates.c: Fix dictionary string usage
  - 54977ed7966847e305a2008cb18892df26eeb065
  - CVE-2012-2893

Author: Marc Deslauriers
Revision Date: 2012-10-03 07:03:55 UTC

* REGRESSION FIX: some applications launched with the activation helper
  may need DBUS_STARTER_ADDRESS. (LP: #1058343)
  - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
    starter address to the default system bus address.
* REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
  - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
    shutdown or reboot so that it can safely unmount the root
    filesystem.

Author: Marc Deslauriers
Revision Date: 2012-10-03 07:03:55 UTC

* REGRESSION FIX: some applications launched with the activation helper
  may need DBUS_STARTER_ADDRESS. (LP: #1058343)
  - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
    starter address to the default system bus address.
* REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
  - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
    shutdown or reboot so that it can safely unmount the root
    filesystem.

Author: Jamie Strandboge
Revision Date: 2012-09-05 22:05:20 UTC

* Fix installation of symlinks in data/ dir (LP: #770566):
  - test/auto.py: Add test for installing a symlink which points to a
    nonexisting target directory/file. This reproduces the gist of the
    problem.
  - test/auto.py: Preserve symlinks in copytree() calls, so that we can
    actually verify that symlinks are preserved properly.
  - test/auto.py: Drop requirement that diff throws no error messages, as it
    will complain about the broken symlink.
  - DistUtilsExtra/auto.py, install_auto: Use os.walk() instead of
    distutils.filelist.findall() to pick out symlinks, as the latter fails
    badly with broken symlinks.
  - DistUtilsExtra/command/build_icons.py: Ignore symbolic links. distutils
    breaks on them when they point to a nonexisting target, and we handle
    them in auto.py.
  - http://bazaar.launchpad.net/~python-distutils-extra-hackers/python-distutils-extra/debian/revision/250

Author: Jamie Strandboge
Revision Date: 2012-09-27 15:38:07 UTC

* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: update urllib and urllib2 for invalid redirections
  - debian/patches/CVE-2011-1521.diff: only process Location headers for
    http, https, and ftp
  - http://bugs.python.org/issue11662
  - CVE-2011-1521
* SECURITY UPDATE: fix XSS in SimpleHTTPServer
  - debian/patches/CVE-2011-4940.diff: add a charset parameter to the
    Content-type
  - CVE-2011-4940
* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944

Author: Jamie Strandboge
Revision Date: 2012-09-27 15:38:07 UTC

* SECURITY UPDATE: fix hash randomization DoS
  - debian/patches/CVE-2012-1150.diff: add -R command-line option and
    PYTHONHASHSEED environment variable, to provide an opt-in way to protect
    against denial of service attacks due to hash collisions within the dict
    and set types.
  - CVE-2012-1150
* SECURITY UPDATE: xmlrpc: Fix an endless loop in SimpleXMLRPCServer upon
  malformed POST request
  - debian/patches/CVE-2012-0845.diff: break if don't receive EOF in
    Lib/SimpleXMLRPCServer.py
  - CVE-2012-0845
* SECURITY UPDATE: update urllib and urllib2 for invalid redirections
  - debian/patches/CVE-2011-1521.diff: only process Location headers for
    http, https, and ftp
  - http://bugs.python.org/issue11662
  - CVE-2011-1521
* SECURITY UPDATE: fix XSS in SimpleHTTPServer
  - debian/patches/CVE-2011-4940.diff: add a charset parameter to the
    Content-type
  - CVE-2011-4940
* SECURE UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944

Author: Marc Deslauriers
Revision Date: 2012-09-28 09:25:17 UTC

* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
  (LP: #1016643)
  - softwareproperties/ppa.py: download gpg key to temporary keyring, and
    validate using v4 fingerprint before importing to apt keyring.

Author: Marc Deslauriers
Revision Date: 2012-09-28 09:25:17 UTC

* SECURITY UPDATE: improve gpg key validation to prevent MITM attack
  (LP: #1016643)
  - softwareproperties/ppa.py: download gpg key to temporary keyring, and
    validate using v4 fingerprint before importing to apt keyring.

Author: Martin Pitt
Revision Date: 2012-09-25 07:34:06 UTC

* New upstream bug fix release: (LP: #1055944)
  - Fix planner's assignment of executor parameters, and fix executor's
    rescan logic for CTE plan nodes.
    These errors could result in wrong answers from queries that scan
    the same WITH subquery multiple times.
  - Improve page-splitting decisions in GiST indexes.
    Multi-column GiST indexes might suffer unexpected bloat due to this
    error.
  - Fix cascading privilege revoke to stop if privileges are still held.
    If we revoke a grant option from some role "X", but "X" still holds
    that option via a grant from someone else, we should not
    recursively revoke the corresponding privilege from role(s) "Y"
    that "X" had granted it to.
  - Fix handling of SIGFPE when PL/Perl is in use.
    Perl resets the process's SIGFPE handler to SIG_IGN, which could
    result in crashes later on. Restore the normal Postgres signal
    handler after initializing PL/Perl.
  - Prevent PL/Perl from crashing if a recursive PL/Perl function is
    redefined while being executed.
  - Work around possible misoptimization in PL/Perl.
    Some Linux distributions contain an incorrect version of
    "pthread.h" that results in incorrect compiled code in PL/Perl,
    leading to crashes if a PL/Perl function calls another one that
    throws an error.

Author: Marc Deslauriers
Revision Date: 2012-09-24 12:51:55 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  crafted client certificates
  - debian/patches/CVE-2012-3547.diff: use correct size in
    src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.
  - CVE-2012-3547

Author: Marc Deslauriers
Revision Date: 2012-09-26 15:00:20 UTC

* SECURITY UPDATE: arbitrary code execution via insufficient validation
  in dscverify
  - scripts/dscverify.pl: perform better validation.
  - 22881936e53e6b585d3dc60f3161e9d704c5138d
  - CVE-2012-2240
* SECURITY UPDATE: arbitrary file deletion via insufficient validation
  in dget
  - scripts/dget.pl: strip invalid characters.
  - 79d27778321f7bb778097cfb7a724ae976fb4fbd
  - CVE-2012-2241
* SECURITY UPDATE: arbitrary code execution via improper argument
  escaping in dget
  - scripts/dget.pl: escape $file better, and call system() with proper
    arguments.
  - db49f493baaac2387a4dd76370c1018109e31dfc
  - CVE-2012-2242
* SECURITY UPDATE: file alteration via TOCTOU in annotate-output
  - scripts/annotate-output.sh: prevent symlink attack.
  - 1bbe2163987c53064a4cd57712927f4b06c01032
  - CVE-2012-3500
* REGRESSION FIX: improper exit code in CVE-2012-0212 debdiff.pl fix
  - 252a42d225f489e398f3c0402c1f7d1e9a4451c0

Author: Marc Deslauriers
Revision Date: 2012-09-26 15:00:20 UTC

* SECURITY UPDATE: arbitrary code execution via insufficient validation
  in dscverify
  - scripts/dscverify.pl: perform better validation.
  - 22881936e53e6b585d3dc60f3161e9d704c5138d
  - CVE-2012-2240
* SECURITY UPDATE: arbitrary file deletion via insufficient validation
  in dget
  - scripts/dget.pl: strip invalid characters.
  - 79d27778321f7bb778097cfb7a724ae976fb4fbd
  - CVE-2012-2241
* SECURITY UPDATE: arbitrary code execution via improper argument
  escaping in dget
  - scripts/dget.pl: escape $file better, and call system() with proper
    arguments.
  - db49f493baaac2387a4dd76370c1018109e31dfc
  - CVE-2012-2242
* SECURITY UPDATE: file alteration via TOCTOU in annotate-output
  - scripts/annotate-output.sh: prevent symlink attack.
  - 1bbe2163987c53064a4cd57712927f4b06c01032
  - CVE-2012-3500
* REGRESSION FIX: improper exit code in CVE-2012-0212 debdiff.pl fix
  - 252a42d225f489e398f3c0402c1f7d1e9a4451c0

Author: Marc Deslauriers
Revision Date: 2012-09-24 12:51:55 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  crafted client certificates
  - debian/patches/CVE-2012-3547.diff: use correct size in
    src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.
  - CVE-2012-3547

Author: Chris Coulson
Revision Date: 2012-09-26 13:42:31 UTC

* New upstream release v1.4.5 to support Thunderbird 16
  - LP: #1062587

* Add patch to set the correct version number. The version was not changed
  from 1.5a1pre to 1.4.5 when the tarball was built from rev 24e938
  - add debian/patches/correct-version-number.diff
  - update debian/patches/series

Author: Marc Deslauriers
Revision Date: 2012-09-26 13:16:03 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  incorrect buffer sizes.
  - http://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626
  - http://git.gnome.org/browse/libxml2/commit/?id=4f9fdc709c4861c390cd84e2ed1fd878b3442e28
  - http://git.gnome.org/browse/libxml2/commit/?id=baaf03f80f817bb34c421421e6cb4d68c353ac9a
  - CVE-2012-2807

Author: Marc Deslauriers
Revision Date: 2012-09-26 13:16:03 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  incorrect buffer sizes.
  - http://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626
  - http://git.gnome.org/browse/libxml2/commit/?id=4f9fdc709c4861c390cd84e2ed1fd878b3442e28
  - http://git.gnome.org/browse/libxml2/commit/?id=baaf03f80f817bb34c421421e6cb4d68c353ac9a
  - CVE-2012-2807

Author: Martin Pitt
Revision Date: 2012-09-25 07:34:06 UTC

* New upstream bug fix release: (LP: #1055944)
  - Fix planner's assignment of executor parameters, and fix executor's
    rescan logic for CTE plan nodes.
    These errors could result in wrong answers from queries that scan
    the same WITH subquery multiple times.
  - Improve page-splitting decisions in GiST indexes.
    Multi-column GiST indexes might suffer unexpected bloat due to this
    error.
  - Fix cascading privilege revoke to stop if privileges are still held.
    If we revoke a grant option from some role "X", but "X" still holds
    that option via a grant from someone else, we should not
    recursively revoke the corresponding privilege from role(s) "Y"
    that "X" had granted it to.
  - Fix handling of SIGFPE when PL/Perl is in use.
    Perl resets the process's SIGFPE handler to SIG_IGN, which could
    result in crashes later on. Restore the normal Postgres signal
    handler after initializing PL/Perl.
  - Prevent PL/Perl from crashing if a recursive PL/Perl function is
    redefined while being executed.
  - Work around possible misoptimization in PL/Perl.
    Some Linux distributions contain an incorrect version of
    "pthread.h" that results in incorrect compiled code in PL/Perl,
    leading to crashes if a PL/Perl function calls another one that
    throws an error.

Author: Chris J Arges
Revision Date: 2012-07-16 08:39:03 UTC

increase buffer used for pam_authz_search (LP: #951343)

Author: Marc Deslauriers
Revision Date: 2012-08-14 08:37:40 UTC

debian/patches/long-keyids.dpatch: Use the longest key ID available
when requesting a key from a key server.

Author: Marc Deslauriers
Revision Date: 2012-08-14 08:37:40 UTC

debian/patches/long-keyids.dpatch: Use the longest key ID available
when requesting a key from a key server.

Author: Marc Deslauriers
Revision Date: 2012-08-14 13:31:24 UTC

debian/patches/long-keyids.diff: Use the longest key ID available
when requesting a key from a key server.

Author: Marc Deslauriers
Revision Date: 2012-08-14 13:31:24 UTC

debian/patches/long-keyids.diff: Use the longest key ID available
when requesting a key from a key server.

Author: Marc Deslauriers
Revision Date: 2012-09-12 09:11:28 UTC

* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
  - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
    main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
    failures in ext/phar/phar_object.c.
  - CVE-2011-1398
  - CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
  _php_stream_scandir function (LP: #1028064)
  - debian/patches/CVE-2012-2688.patch: prevent overflow in
    main/streams/streams.c.
  - CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
  - debian/patches/CVE-2012-3450.patch: improve logic in
    ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
    test to ext/pdo_mysql/tests/bug_61755.phpt.
  - CVE-2012-3450

Author: Paolo Pisati
Revision Date: 2012-09-12 16:34:28 UTC

* Release Tracking Bug
  - LP: #1047347

[ Upstream Kernel Changes ]

* rds: set correct msg_namelen
  - LP: #1031112
  - CVE-2012-3340
* KVM: unmap pages from the iommu when slots are removed
  - LP: #987569
  - CVE-2012-2121
* net: Allow driver to limit number of GSO segments per skb
  - LP: #1037456
  - CVE-2012-3412
* tcp: do not scale TSO segment size with reordering degree
  - LP: #1037456
  - CVE-2012-3412
* tcp: Apply device TSO segment limit earlier
  - LP: #1037456
  - CVE-2012-3412
* sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
  - LP: #1037456
  - CVE-2012-3412
* sfc: Fix maximum number of TSO segments and minimum TX queue size
  - LP: #1037456
  - CVE-2012-3412
* mm: Hold a file reference in madvise_remove
  - LP: #1042447
  - CVE-2012-3511

Author: Paolo Pisati
Revision Date: 2012-09-12 16:34:28 UTC

* Release Tracking Bug
  - LP: #1047347

[ Upstream Kernel Changes ]

* rds: set correct msg_namelen
  - LP: #1031112
  - CVE-2012-3340
* KVM: unmap pages from the iommu when slots are removed
  - LP: #987569
  - CVE-2012-2121
* net: Allow driver to limit number of GSO segments per skb
  - LP: #1037456
  - CVE-2012-3412
* tcp: do not scale TSO segment size with reordering degree
  - LP: #1037456
  - CVE-2012-3412
* tcp: Apply device TSO segment limit earlier
  - LP: #1037456
  - CVE-2012-3412
* sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
  - LP: #1037456
  - CVE-2012-3412
* sfc: Fix maximum number of TSO segments and minimum TX queue size
  - LP: #1037456
  - CVE-2012-3412
* mm: Hold a file reference in madvise_remove
  - LP: #1042447
  - CVE-2012-3511

Author: Paolo Pisati
Revision Date: 2012-09-12 16:34:28 UTC

* Release Tracking Bug
  - LP: #1047347

[ Upstream Kernel Changes ]

* rds: set correct msg_namelen
  - LP: #1031112
  - CVE-2012-3340
* KVM: unmap pages from the iommu when slots are removed
  - LP: #987569
  - CVE-2012-2121
* net: Allow driver to limit number of GSO segments per skb
  - LP: #1037456
  - CVE-2012-3412
* tcp: do not scale TSO segment size with reordering degree
  - LP: #1037456
  - CVE-2012-3412
* tcp: Apply device TSO segment limit earlier
  - LP: #1037456
  - CVE-2012-3412
* sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE
  - LP: #1037456
  - CVE-2012-3412
* sfc: Fix maximum number of TSO segments and minimum TX queue size
  - LP: #1037456
  - CVE-2012-3412
* mm: Hold a file reference in madvise_remove
  - LP: #1042447
  - CVE-2012-3511

Author: Marc Deslauriers
Revision Date: 2012-09-12 09:11:28 UTC

* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
  - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
    main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
    failures in ext/phar/phar_object.c.
  - CVE-2011-1398
  - CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
  _php_stream_scandir function (LP: #1028064)
  - debian/patches/CVE-2012-2688.patch: prevent overflow in
    main/streams/streams.c.
  - CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
  - debian/patches/CVE-2012-3450.patch: improve logic in
    ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
    test to ext/pdo_mysql/tests/bug_61755.phpt.
  - CVE-2012-3450

Author: Tyler Hicks
Revision Date: 2012-09-09 22:57:33 UTC

* Run the tests as part of the build process
  - debian/patches/FTBFS-tests.patch: Fix issues when running make check.
    Based on upstream patches.
  - debian/rules: Run make check after building
* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/CVE-2012-0876.patch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/CVE-2012-1148.patch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Tyler Hicks
Revision Date: 2012-09-09 22:57:33 UTC

* Run the tests as part of the build process
  - debian/patches/FTBFS-tests.patch: Fix issues when running make check.
    Based on upstream patches.
  - debian/rules: Run make check after building
* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/CVE-2012-0876.patch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/CVE-2012-1148.patch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Marc Deslauriers
Revision Date: 2012-09-06 09:39:29 UTC

* SECURITY UPDATE: Cross-site scripting in authentication views
  (LP: #1031733)
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
    fix unsafe redirects indjango/http/__init__.py, add test case to
    tests/regressiontests/httpwrappers/tests.py. Patch backport taken
    from Debian Squeeze and fixed for python 2.4 compatibility.
  - CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
  - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
    immediately after the constructor in django/forms/fields.py.
  - CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
  (LP: #1031733)
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
    chunk size in django/core/files/images.py.
  - CVE-2012-3444

Author: Tyler Hicks
Revision Date: 2012-09-07 17:28:12 UTC

fake sync from Debian

Author: Tyler Hicks
Revision Date: 2012-09-07 17:28:12 UTC

fake sync from Debian

Author: Luis Henriques
Revision Date: 2012-09-06 18:05:02 UTC

[ Tim Gardner ]

* Move all header meta packages into Section: metapackages
  - LP: #988447
* No meta packages belong in the restricted component
  - LP: #1016702

[ Luis Henriques ]

* Fix Vcs-Git in linux-natty-meta
  - LP: #999726
* Bump ABI

Author: Tyler Hicks
Revision Date: 2012-09-07 09:56:33 UTC

fake sync from Debian

Author: Tyler Hicks
Revision Date: 2012-09-07 09:56:33 UTC

fake sync from Debian

Author: Luis Henriques
Revision Date: 2012-09-06 18:05:02 UTC

[ Tim Gardner ]

* Move all header meta packages into Section: metapackages
  - LP: #988447
* No meta packages belong in the restricted component
  - LP: #1016702

[ Luis Henriques ]

* Fix Vcs-Git in linux-natty-meta
  - LP: #999726
* Bump ABI

Author: Luis Henriques
Revision Date: 2012-09-06 18:05:02 UTC

[ Tim Gardner ]

* Move all header meta packages into Section: metapackages
  - LP: #988447
* No meta packages belong in the restricted component
  - LP: #1016702

[ Luis Henriques ]

* Fix Vcs-Git in linux-natty-meta
  - LP: #999726
* Bump ABI

Author: Marc Deslauriers
Revision Date: 2012-09-06 09:39:29 UTC

* SECURITY UPDATE: Cross-site scripting in authentication views
  (LP: #1031733)
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
    fix unsafe redirects indjango/http/__init__.py, add test case to
    tests/regressiontests/httpwrappers/tests.py. Patch backport taken
    from Debian Squeeze and fixed for python 2.4 compatibility.
  - CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
  - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
    immediately after the constructor in django/forms/fields.py.
  - CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
  (LP: #1031733)
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
    chunk size in django/core/files/images.py.
  - CVE-2012-3444

Author: Jamie Strandboge
Revision Date: 2012-09-05 22:05:20 UTC

* Fix installation of symlinks in data/ dir (LP: #770566):
  - test/auto.py: Add test for installing a symlink which points to a
    nonexisting target directory/file. This reproduces the gist of the
    problem.
  - test/auto.py: Preserve symlinks in copytree() calls, so that we can
    actually verify that symlinks are preserved properly.
  - test/auto.py: Drop requirement that diff throws no error messages, as it
    will complain about the broken symlink.
  - DistUtilsExtra/auto.py, install_auto: Use os.walk() instead of
    distutils.filelist.findall() to pick out symlinks, as the latter fails
    badly with broken symlinks.
  - DistUtilsExtra/command/build_icons.py: Ignore symbolic links. distutils
    breaks on them when they point to a nonexisting target, and we handle
    them in auto.py.
  - http://bazaar.launchpad.net/~python-distutils-extra-hackers/python-distutils-extra/debian/revision/250

Author: Marc Deslauriers
Revision Date: 2012-09-05 15:45:26 UTC

* SECURITY UPDATE: denial of service via malformed .fit file header
  - debian/patches/CVE-2012-3236.patch: check for valid XTENSION header
    in plug-ins/file-fits/fits-io.c.
  - CVE-2012-3236
* SECURITY UPDATE: denial of service and possible code execution via
  crafted KiSS palette file
  - debian/patches/CVE-2012-3403.patch: validate return codes and header
    data in plug-ins/common/file-cel.c.
  - CVE-2012-3403
* SECURITY UPDATE: denial of service and possible code execution via
  crafted GIF image file
  - debian/patches/CVE-2012-3481.patch: validate sizes, and prevent
    overflows in plug-ins/common/file-gif-load.c.
  - CVE-2012-3481

Author: Marc Deslauriers
Revision Date: 2012-09-05 15:45:26 UTC

* SECURITY UPDATE: denial of service via malformed .fit file header
  - debian/patches/CVE-2012-3236.patch: check for valid XTENSION header
    in plug-ins/file-fits/fits-io.c.
  - CVE-2012-3236
* SECURITY UPDATE: denial of service and possible code execution via
  crafted KiSS palette file
  - debian/patches/CVE-2012-3403.patch: validate return codes and header
    data in plug-ins/common/file-cel.c.
  - CVE-2012-3403
* SECURITY UPDATE: denial of service and possible code execution via
  crafted GIF image file
  - debian/patches/CVE-2012-3481.patch: validate sizes, and prevent
    overflows in plug-ins/common/file-gif-load.c.
  - CVE-2012-3481

Author: Luis Henriques
Revision Date: 2012-09-03 16:44:36 UTC

[ Luis Henriques ]

Bump ABI - Natty ABI 16

Author: Luis Henriques
Revision Date: 2012-09-03 16:44:36 UTC

[ Luis Henriques ]

Bump ABI - Natty ABI 16

Author: Luis Henriques
Revision Date: 2012-09-03 16:44:36 UTC

[ Luis Henriques ]

Bump ABI - Natty ABI 16

Author: Micah Gersten
Revision Date: 2012-09-02 02:09:26 UTC

No-change backport to natty (LP: #1027173)

Author: Steve Beattie
Revision Date: 2011-10-25 15:21:46 UTC

* SECURITY UPDATE: remote HTML injection (LP: #879301)
  - debian/patches/75_empathy-CVE-2011-3635-lp879301.patch: escape
    HTML in when displaying other users' names. (Thanks to upstream
    for patch.)
  - CVE-2011-3635, CVE-2011-4170

Author: Didier Roche-Tolomelli
Revision Date: 2011-04-07 12:16:33 UTC

Rebuild against latest libunity (soname bump)

Author: Steve Beattie
Revision Date: 2012-08-31 22:44:11 UTC

* SECURITY UPDATE: Update to IcedTea 6 1.11.4
  - Security fixes:
    - S7162476, CVE-2012-1682: XMLDecoder security issue via
      ClassFinder
    - S7163201, CVE-2012-0547: Simplify toolkit internals references
  - Bug fixes:
    - S7182135: Impossible to use some editors directly
    - S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java
      failed with NPE

Author: Steve Beattie
Revision Date: 2012-08-31 22:44:11 UTC

* SECURITY UPDATE: Update to IcedTea 6 1.11.4
  - Security fixes:
    - S7162476, CVE-2012-1682: XMLDecoder security issue via
      ClassFinder
    - S7163201, CVE-2012-0547: Simplify toolkit internals references
  - Bug fixes:
    - S7182135: Impossible to use some editors directly
    - S7185678: java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java
      failed with NPE

Author: Chris Coulson
Revision Date: 2012-08-27 11:29:04 UTC

* New upstream stable release (THUNDERBIRD_15_0_BUILD1)
  - see LP: #1042165 for USN information

* Update globalmenu-extension to 3.4.1
  + Fixes for LP: #1025011 - HUD search crashes Firefox when Firebug
    is installed
    - Provide our own binding for menupopup nodes which derives from the
      default binding and makes the "state" property work as if there
      were a frame
    - Make all menu nodes reference counted, and hold a strong ref when
      dispatching events, in case the event results in the removal of menu
      nodes
  + Keep the menu we export in sync with the document tree all of the
    time, rather than only when the menus are on screen. The HUD likes to
    open submenus without opening any of its ancestors, which can result in
    us handling events on menu nodes that are no longer in a document
    if an ancestor responds to a bubbled-up event by removing its
    children
  + Ensure we always null check the result of nsIDocument::GetCurrentDoc
  + When tearing down a menu, make sure that we empty out our DbusmenuMenuitem
    in case the parent reuses that item for another menu. Fixes a memory leak
    and an issue where Firebug menu items are duplicated indefinitely each
    time a menu is opened
  + Fix LP: #775080 - Thunderbird with Firetray/MinimizeToTray -
    Global menu disappears
  + Fix LP: #813775 - Hitting an assertion in dbusmenu
  + Fix LP: #775305 - Use style to determine menuitem visibility
* Ensure the Apport hook parses the system preferences on Natty
  - update debian/apport/source_thunderbird.py.in
* Make thunderbird-dbg depend on the correct version of thunderbird
  - update debian/control
* Separate the package name from the application name. This enables us to
  change the package name without having to modify the application (eg,
  to allow us to provide official branded versions of Thunderbird ESR using
  the package name "thunderbird-esr"). In doing this, also drop the patch we
  had to rename Thunderbird in nightlies, and just use some magic in debian/rules
  instead
  - update debian/apport/source_thunderbird.py.in
  - update debian/build/get-orig-source.mk
  - update debian/control.in
  - update debian/control.langpacks
  - update debian/control.langpacks.unavail
  - remove debian/patches/change-moz-app-name.patch
  - update debian/patches/series
  - update debian/rules
  - update debian/thunderbird.install.in
  - update debian/thunderbird.links.in
  - update debian/thunderbird.lintian-overrides.in
  - update debian/thunderbird.postinst.in
  - update debian/thunderbird.postrm.in
  - update debian/thunderbird.preinst.in
  - update debian/thunderbird.sh.in
* Move parts of debian/rules that can be shared with Firefox to a
  new, common file (mozbuild.mk)
  - update debian/rules
  - add debian/build/mozbuild.mk
  - add debian/build/mozvars.mk
  - update debian/build/testsuite.mk
* Make it possible to use the same create-tarball.py for Firefox and
  Thunderbird
  - update debian/build/create-tarball.py
  - update debian/build/get-orig-source.mk
  - add debian/config/tarball.conf
* Switch to source format 3.0
  - add debian/source/format
  - add debian/source/options to diff-ignore the .mozclient.mk file which
    is created during clean, and to pass "--no-preparation"
  - update debian/build/enable-dist-patches.pl
  - rename debian/patches/series => debian/patches/series.in so the source
    isn't built with patches applied
  - add debian/README.source
* Goodbye embedded tarball, and our use of tarball.mk!
  - update debian/build/create-tarball.py
  - update debian/build/extract-file.py
  - update debian/build/get-orig-source.mk
  - update debian/build/mozbuild.mk
* Run the upstream cleansrcdir target during clean
  - update debian/build/mozbuild.mk
* Support the "parallel" option in DEB_BUILD_OPTIONS
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
* Get rid of pointless python script
  - remove debian/build/extract-file.py
  - update debian/build/mozbuild.mk
* Merge get-orig-source.mk in to mozbuild.mk
  - update debian/build/mozbuild.mk
  - remove debian/build/get-orig-source.mk
* Handle comments in locales.blacklist
  - update debian/build/refresh-supported-locales.pl
  - update debian/config/locales.blacklist
* Fork the upstream text preprocessor and add support for additional
  comparison operators, which means we no longer have to add new
  defines for every distro version specific change we add
  - add debian/build/Expression.py
  - add debian/build/Preprocessor.py
  - update debian/apport/source_thunderbird.py.in
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
  - update debian/rules
  - update debian/thunderbird.desktop.in
  - update debian/thunderbird.install.in
  - update debian/thunderbird.links.in
  - update debian/thunderbird.postinst.in
  - update debian/thunderbird.postrm.in
  - update debian/thunderbird.preinst.in
* Drop powerpc patches, which are fixed upstream
  - remove debian/patches/fix-dtoa-build-on-ppc.patch and
  - remove debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series.in
* Drop fix-crashreporter-ftbfs-with-gcc4.7.patch, which is fixed upstream

Author: Steve Beattie
Revision Date: 2012-08-30 11:24:04 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-08-30 11:24:04 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-08-03 15:42:11 UTC

debian/patches/fix-plugin-error-on-chromium.patch: fix plugin
table initialization to check only that the subset of hooks that
it uses exists. (LP: #1025553)

Author: Steve Beattie
Revision Date: 2012-08-22 16:39:20 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-08-22 16:39:20 UTC

fake sync from Debian

Author: Chris Coulson
Revision Date: 2012-08-25 20:30:49 UTC

* New upstream stable release (FIREFOX_15_0_BUILD1)
  - see LP: #1041620 for USN information

* Update globalmenu-extension to 3.4.1
  + Drop the edit UI workarounds
  + Fixes for LP: #1035305 - Crash when switching apps back to Firefox
    with Firebug installed
    - Keep the menu we export in sync with the document tree all of the
      time, rather than only when the menus are on screen. The HUD likes to
      open submenus without opening any of its ancestors, which can result in
      us handling events on menu nodes that are no longer in a document
      if an ancestor responds to a bubbled-up event by removing its
      children
    - Ensure we always null check the result of nsIDocument::GetCurrentDoc
  + When tearing down a menu, make sure that we empty out our DbusmenuMenuitem
    in case the parent reuses that item for another menu. Fixes a memory leak
    and an issue where Firebug menu items are duplicated indefinitely each
    time a menu is opened
  + Fixes for LP: #1025011 - HUD search crashes Firefox when Firebug
    is installed
    - Provide our own binding for menupopup nodes which derives from the
      default binding and makes the "state" property work as if there
      were a frame
    - Make all menu nodes reference counted, and hold a strong ref when
      dispatching events, in case the event results in the removal of menu
      nodes
  + Fix LP: #813775 - Hitting an assertion in dbusmenu
  + Fix LP: #861565 - No buttons in the "Show All Bookmarks" dialog
  + Fix LP: #775305 - An empty menu appears when FFChrome is installed
  + Add a small delay when opening the menu with the keyboard, so that
    the additional items are added before the menu appears. Fixes an
    issue where keyboard focus isn't on the first item when opening the
    history menu with the keyboard
* Add Acholi to the locale blacklist
* Separate the package name from the application name in various places.
  This enables us to change the package name without having to modify the
  application or packaging (eg, to allow us to provide official branded
  versions of Firefox ESR using the package name "firefox-esr")
  - update debian/README.Debian.in
  - update debian/apport/source_firefox.py.in
  - update debian/build/get-orig-source.mk
  - update debian/control{,.in}
  - update debian/control.langpacks
  - update debian/control.langpacks.unavail
  - update debian/firefox-locale.preinst.in
  - update debian/firefox.install.in
  - update debian/firefox.links.in
  - update debian/firefox.lintian-overrides.in
  - update debian/firefox.postinst.in
  - update debian/firefox.postrm.in
  - update debian/firefox.preinst.in
  - update debian/firefox.sh.in
  - remove debian/patches/change-moz-app-name.patch
  - update debian/patches/series
  - update debian/rules
  - update debian/usr.bin.firefox.apparmor.*
* Move parts of debian/rules that can be shared with Thunderbird to a
  new, common file (mozbuild.mk)
  - update debian/rules
  - add debian/build/mozbuild.mk
  - add debian/build/mozvars.mk
  - update debian/build/testsuite.mk
* Make it possible to use the same create-tarball.py for Firefox and
  Thunderbird
  - update debian/build/create-tarball.py
  - update debian/build/get-orig-source.mk
  - add debian/config/tarball.conf
* Switch to source format 3.0
  - add debian/source/format
  - add debian/source/options to diff-ignore the .mozclient.mk file which
    is created during clean, and to pass "--no-preparation"
  - update debian/build/enable-dist-patches.pl
  - rename debian/patches/series => debian/patches/series.in so the source
    isn't built with patches applied
  - update debian/README.source
* Goodbye embedded tarball, and our use of tarball.mk!
  - update debian/build/create-tarball.py
  - update debian/build/extract-file.py
  - update debian/build/get-orig-source.mk
  - update debian/build/mozbuild.mk
* Run the upstream cleansrcdir target during clean
  - update debian/build/mozbuild.mk
* Refresh patches
  - update debian/patches/mozilla-kde.patch
* Support the "parallel" option in DEB_BUILD_OPTIONS
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
* Drop some of the complex shell script for creating language packs
  - update debian/build/mozbuild.mk
  - update debian/build/get-xpi-id.py
* Drop searchplugin patches - these patches are an absolute pain to maintain,
  as they seem to break frequently and we have to touch each localized
  plugin. Instead, just keep our own copy of plugins we modify, and add
  these in to the language packs at the end of the build process
  - remove debian/patches/ubuntu-codes-google.patch
  - remove debian/patches/ubuntu-codes-amazon.patch
  - remove debian/patches/ubuntu-codes-baidu.patch
  - update debian/patches/series.in
  - update debian/build/mozbuild.mk
  - add debian/searchplugins/*
* Get rid of pointless python script
  - remove debian/build/extract-file.py
  - update debian/build/mozbuild.mk
* Add an automated check for finding search engines that match particular
  patterns and verifying that they are replaced with our own search
  engine if we think they should be
  - add debian/build/check-search-overrides.pl
  - update debian/build/mozbuild.mk
  - add debian/searchplugins/overrides.json
  - update debian/control{,.in}
* Drop reload-new-plugins.patch, as this shouldn't actually be needed
  - remove debian/patches/reload-new-plugins.patch
  - update debian/patches/series.in
* Merge get-orig-source.mk in to mozbuild.mk
  - update debian/build/mozbuild.mk
  - remove debian/build/get-orig-source.mk
* Handle comments in locales.blacklist
  - update debian/build/refresh-supported-locales.pl
  - update debian/config/locales.blacklist
* Fork the upstream text preprocessor and add support for additional
  comparison operators, which means we no longer have to add new
  defines for every distro version specific change we add
  - add debian/build/Expression.py
  - add debian/build/Preprocessor.py
  - update debian/apport/source_firefox.py.in
  - update debian/build/mozbuild.mk
  - update debian/config/mozconfig.in
  - update debian/firefox-dev.install.in
  - update debian/firefox-locale.preinst.in
  - update debian/firefox.desktop.in
  - update debian/firefox.dirs.in
  - update debian/firefox.install.in
  - update debian/firefox.links.in
  - update debian/firefox.postinst.in
  - update debian/firefox.postrm.in
  - update debian/firefox.preinst.in
  - update debian/firefox.prerm.in
  - update debian/rules
* Refresh shipped locales
* Drop powerpc patches, which are fixed upstream
  - remove debian/patches/fix-dtoa-build-on-ppc.patch and
  - remove debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series.in
* Drop fix-crashreporter-ftbfs-with-gcc4.7.patch, which is fixed upstream

Author: Steve Beattie
Revision Date: 2012-05-25 14:11:57 UTC

* SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
  - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
    certificates by creating soup session with the system CA file
  - CVE-2012-1177

Author: Steve Beattie
Revision Date: 2012-05-25 14:11:57 UTC

* SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
  - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
    certificates by creating soup session with the system CA file
  - CVE-2012-1177

Author: Steve Beattie
Revision Date: 2012-08-02 13:32:21 UTC

* SECURITY UPDATE: multiple integer overflows
  - malloc.c, mallocx.c: check for integer overflow in internal
    malloc and calloc routines.
  - CVE-2012-2673

Author: Steve Beattie
Revision Date: 2012-08-02 13:32:21 UTC

* SECURITY UPDATE: multiple integer overflows
  - malloc.c, mallocx.c: check for integer overflow in internal
    malloc and calloc routines.
  - CVE-2012-2673

Author: Jamie Strandboge
Revision Date: 2012-08-22 11:23:49 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-08-22 11:30:43 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-08-22 11:26:27 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-08-22 11:26:27 UTC

fake sync from Debian