Branches for Natty

Author: Jamie Strandboge
Revision Date: 2012-08-22 11:23:49 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-08-22 11:30:43 UTC

fake sync from Debian

Author: Marc Deslauriers
Revision Date: 2012-08-14 08:37:40 UTC

debian/patches/long-keyids.dpatch: Use the longest key ID available
when requesting a key from a key server.

Author: Marc Deslauriers
Revision Date: 2012-08-14 13:31:24 UTC

debian/patches/long-keyids.diff: Use the longest key ID available
when requesting a key from a key server.

Author: Clint Byrum
Revision Date: 2011-04-27 15:05:14 UTC

pass --test to mdadm to enable result codes for degraded arrays.
(LP: #761971)

Author: Clint Byrum
Revision Date: 2011-08-24 12:50:11 UTC

d/initramfs/mdadm-functions: Record in /tmp when boot-degraded
question has been asked so that it is only asked once (LP: #820111)
Backported from oneiric, replacing /run with /tmp since neither
/run nor /var/run are available this early in natty's boot.

Author: Jamie Strandboge
Revision Date: 2012-08-17 08:11:55 UTC

* SECURITY UPDATE: insecure temporary file usage
  - debian/patches/CVE-2012-2451.patch: adjust to use tempfile()
  - CVE-2012-2451

Author: Jamie Strandboge
Revision Date: 2012-08-17 08:11:55 UTC

* SECURITY UPDATE: insecure temporary file usage
  - debian/patches/CVE-2012-2451.patch: adjust to use tempfile()
  - CVE-2012-2451

Author: Mattias Ellert
Revision Date: 2012-07-19 07:20:20 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027323)
  - debian/patches/globus-gridftp-server-control-pw195.patch: backported
    from upstream
  - CVE-2012-3292

Author: Mattias Ellert
Revision Date: 2012-07-19 07:20:20 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027323)
  - debian/patches/globus-gridftp-server-control-pw195.patch: backported
    from upstream
  - CVE-2012-3292

Author: Mattias Ellert
Revision Date: 2012-07-19 07:07:16 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027324)
  - debian/patches/globus-gridftp-server-pw195.patch: backported from
    upstream
  - CVE-2012-3292

Author: Mattias Ellert
Revision Date: 2012-07-19 07:07:16 UTC

* SECURITY UPDATE: Wrong user mapping on badly configured server
  (LP: #1027324)
  - debian/patches/globus-gridftp-server-pw195.patch: backported from
    upstream
  - CVE-2012-3292

Author: Steve Beattie
Revision Date: 2012-08-03 15:42:11 UTC

debian/patches/fix-plugin-error-on-chromium.patch: fix plugin
table initialization to check only that the subset of hooks that
it uses exists. (LP: #1025553)

Author: Jamie Strandboge
Revision Date: 2012-08-17 09:56:17 UTC

* SECURITY UPDATE: denial of service via large resource consumption
  - debian/patches/CVE-2012-3437.patch: always use correct size argument
    with libpng memory allocation
  - CVE-2012-3437

Author: Jamie Strandboge
Revision Date: 2012-08-17 09:56:17 UTC

* SECURITY UPDATE: denial of service via large resource consumption
  - debian/patches/CVE-2012-3437.patch: always use correct size argument
    with libpng memory allocation
  - CVE-2012-3437

Author: Jamie Strandboge
Revision Date: 2012-08-16 17:10:53 UTC

* New upstream security/bug fix release:
 - Prevent access to external files/URLs via XML entity references
   (Noah Misch, Tom Lane)
   xml_parse() would attempt to fetch external files or URLs as needed
   to resolve DTD and entity references in an XML value, thus allowing
   unprivileged database users to attempt to fetch data with the
   privileges of the database server. While the external data wouldn't
   get returned directly to the user, portions of it could be exposed
   in error messages if the data didn't parse as valid XML; and in any
   case the mere ability to check existence of a file might be useful
   to an attacker. (CVE-2012-3489)
 - Prevent access to external files/URLs via "contrib/xml2"'s
   xslt_process() (Peter Eisentraut)
   libxslt offers the ability to read and write both files and URLs
   through stylesheet commands, thus allowing unprivileged database
   users to both read and write data with the privileges of the
   database server. Disable that through proper use of libxslt's
   security options. (CVE-2012-3488)
   Also, remove xslt_process()'s ability to fetch documents and
   stylesheets from external files/URLs. While this was a documented
   "feature", it was long regarded as a bad idea. The fix for
   CVE-2012-3489 broke that capability, and rather than expend effort
   on trying to fix it, we're just going to summarily remove it.
 - Prevent too-early recycling of btree index pages (Noah Misch)
   When we allowed read-only transactions to skip assigning XIDs, we
   introduced the possibility that a deleted btree page could be
   recycled while a read-only transaction was still in flight to it.
   This would result in incorrect index search results. The
   probability of such an error occurring in the field seems very low
   because of the timing requirements, but nonetheless it should be
   fixed.
 - Fix crash-safety bug with newly-created-or-reset sequences (Tom
   Lane)
   If "ALTER SEQUENCE" was executed on a freshly created or reset
   sequence, and then precisely one nextval() call was made on it, and
   then the server crashed, WAL replay would restore the sequence to a
   state in which it appeared that no nextval() had been done, thus
   allowing the first sequence value to be returned again by the next
   nextval() call. In particular this could manifest for serial
   columns, since creation of a serial column's sequence includes an
   "ALTER SEQUENCE OWNED BY" step.
 - Ensure the "backup_label" file is fsync'd after pg_start_backup()
   (Dave Kerr)
 - Back-patch 9.1 improvement to compress the fsync request queue
   (Robert Haas)
   This improves performance during checkpoints. The 9.1 change has
   now seen enough field testing to seem safe to back-patch.
 - Only allow autovacuum to be auto-canceled by a directly blocked
   process (Tom Lane)
   The original coding could allow inconsistent behavior in some
   cases; in particular, an autovacuum could get canceled after less
   than deadlock_timeout grace period.
 - Improve logging of autovacuum cancels (Robert Haas)
 - Fix log collector so that log_truncate_on_rotation works during the
   very first log rotation after server start (Tom Lane)
 - Fix WITH attached to a nested set operation
   (UNION/INTERSECT/EXCEPT) (Tom Lane)
 - Ensure that a whole-row reference to a subquery doesn't include any
   extra GROUP BY or ORDER BY columns (Tom Lane)
 - Disallow copying whole-row references in CHECK constraints and
   index definitions during "CREATE TABLE" (Tom Lane)
   This situation can arise in "CREATE TABLE" with LIKE or INHERITS.
   The copied whole-row variable was incorrectly labeled with the row
   type of the original table not the new one. Rejecting the case
   seems reasonable for LIKE, since the row types might well diverge
   later. For INHERITS we should ideally allow it, with an implicit
   coercion to the parent table's row type; but that will require more
   work than seems safe to back-patch.
 - Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki
   Linnakangas, Tom Lane)
 - Fix extraction of common prefixes from regular expressions (Tom
   Lane)
   The code could get confused by quantified parenthesized
   subexpressions, such as ^(foo)?bar. This would lead to incorrect
   index optimization of searches for such patterns.
 - Fix bugs with parsing signed "hh":"mm" and "hh":"mm":"ss" fields in
   interval constants (Amit Kapila, Tom Lane)
 - Report errors properly in "contrib/xml2"'s xslt_process() (Tom
   Lane)
 - Update time zone data files to tzdata release 2012e for DST law
   changes in Morocco and Tokelau

Author: Scott Kitterman
Revision Date: 2012-08-14 22:07:10 UTC

* SECURITY REGRESSION: Fix scanning failure. (LP: #1015405)
  - Upstream commit 6a879ad98460303b23a6fc119769a3b463a902f8 to fix unpack
    errors for various compressed files including some .bz2, .xls, .doc, and
    PDF

Author: Adam Conrad
Revision Date: 2012-08-14 15:43:23 UTC

* New upstream release 2012e:
  - Fixes timezone data for Port-au-Prince, Haiti (LP: #1031836)
* Update debian/copyright and debian/watch for new upstream.

Author: Chris Coulson
Revision Date: 2012-08-14 21:03:58 UTC

* Update globalmenu-extension to 3.2.7
  - Fix for LP: #1035305 - Crash when switching apps back to Firefox
    with Firebug installed

Author: Tyler Hicks
Revision Date: 2012-08-09 11:53:57 UTC

* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/577777_CVE_2012_0876.dpatch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/588888_CVE_2012_1148.dpatch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Adam Conrad
Revision Date: 2012-08-14 15:43:23 UTC

* New upstream release 2012e:
  - Fixes timezone data for Port-au-Prince, Haiti (LP: #1031836)
* Update debian/copyright and debian/watch for new upstream.

Author: Micah Gersten
Revision Date: 2012-08-12 04:47:07 UTC

No-change backport to natty (LP: #1023894)

Author: Tyler Hicks
Revision Date: 2012-08-09 11:53:57 UTC

* SECURITY UPDATE: Denial of service via hash collisions
  - debian/patches/577777_CVE_2012_0876.dpatch: Add random salt value to
    hash inputs. Based on upstream patch.
  - CVE-2012-0876
* SECURITY UPDATE: Denial of service via memory leak
  - debian/patches/588888_CVE_2012_1148.dpatch: Properly reallocate memory.
    Based on upstream patch.
  - CVE-2012-1148

Author: Marc Deslauriers
Revision Date: 2012-08-06 10:55:34 UTC

* SECURITY UPDATE: possible arbitrary code execution via malformed Word
  document (LP: #1032934)
  - debian/patches/wv2_buffer_overflow_fix.diff: don't overflow grupx in
    filters/kword/msword-odf/wv2/src/styles.cpp.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-06 10:55:34 UTC

* SECURITY UPDATE: possible arbitrary code execution via malformed Word
  document (LP: #1032934)
  - debian/patches/wv2_buffer_overflow_fix.diff: don't overflow grupx in
    filters/kword/msword-odf/wv2/src/styles.cpp.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-06-22 08:48:31 UTC

* SECURITY UPDATE: Insecure WPA AdHoc network creation (LP: #905748)
  - debian/patches/CVE-2012-2736.patch: disable WPA-secured adhoc
    wireless networks.
  - CVE-2012-2736

Author: Marc Deslauriers
Revision Date: 2012-06-22 08:48:31 UTC

* SECURITY UPDATE: Insecure WPA AdHoc network creation (LP: #905748)
  - debian/patches/CVE-2012-2736.patch: disable WPA-secured adhoc
    wireless networks.
  - CVE-2012-2736

Author: Per Ångström
Revision Date: 2012-04-26 10:56:37 UTC

* debian/patches/fix-slow-bzr-start.patch (LP: #988296)
  - Fix slow meld startup on opening complex Bazaar repositories

Author: Marc Deslauriers
Revision Date: 2012-08-05 10:56:06 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-05 10:56:06 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-05 09:45:10 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Marc Deslauriers
Revision Date: 2012-08-05 09:45:10 UTC

* SECURITY UPDATE: privilege escalation via kernel memory access
  - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
    more offsets in nv.{c,h}.
  - debian/dkms.conf{.in}: added new patch.
  - CVE number pending

Author: Jamie Strandboge
Revision Date: 2012-08-03 11:56:14 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-08-03 11:56:14 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-08-03 15:42:11 UTC

debian/patches/fix-plugin-error-on-chromium.patch: fix plugin
table initialization to check only that the subset of hooks that
it uses exists. (LP: #1025553)

Author: Steve Beattie
Revision Date: 2012-07-23 22:15:03 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Marc Deslauriers
Revision Date: 2012-07-30 14:25:20 UTC

* SECURITY UPDATE: denial of service in QuickDER decoder
  - debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
    constraints and zero-length fields in
    nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
    nss/mozilla/security/nss/lib/util/quickder.c.
  - CVE-2012-0441
* debian/rules: added a workaround to get package built on more recent
  kernels.

Author: Marc Deslauriers
Revision Date: 2012-07-30 14:25:20 UTC

* SECURITY UPDATE: denial of service in QuickDER decoder
  - debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
    constraints and zero-length fields in
    nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
    nss/mozilla/security/nss/lib/util/quickder.c.
  - CVE-2012-0441
* debian/rules: added a workaround to get package built on more recent
  kernels.

Author: Marc Deslauriers
Revision Date: 2012-07-24 13:34:56 UTC

* SECURITY UPDATE: cross-site scripting vulnerability
  - mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs: properly
    escape error message.
  - CVE-2012-3382

Author: Julian Taylor
Revision Date: 2012-04-30 18:40:28 UTC

000-fix-line-split-error-on-bad-data-from-rebase.diff:
fix crash when bad data from rebase is in the log (LP: #986279)

Author: Marc Deslauriers
Revision Date: 2012-07-24 13:34:56 UTC

* SECURITY UPDATE: cross-site scripting vulnerability
  - mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs: properly
    escape error message.
  - CVE-2012-3382

Author: Marc Deslauriers
Revision Date: 2012-07-25 17:28:23 UTC

* SECURITY UPDATE: denial of service via malformed client identifiers
  - debian/patches/CVE-2012-3571.dpatch: validate packets in
    common/options.{c,h}.
  - CVE-2012-3571.dpatch
* SECURITY UPDATE: denial of service via memory leaks
  - debian/patches/CVE-2012-3954.dpatch: properly manage memory in
    common/options.c and server/dhcpv6.c.
  - CVE-2012-3954

Author: Marc Deslauriers
Revision Date: 2012-07-25 17:28:23 UTC

* SECURITY UPDATE: denial of service via malformed client identifiers
  - debian/patches/CVE-2012-3571.dpatch: validate packets in
    common/options.{c,h}.
  - CVE-2012-3571.dpatch
* SECURITY UPDATE: denial of service via memory leaks
  - debian/patches/CVE-2012-3954.dpatch: properly manage memory in
    common/options.c and server/dhcpv6.c.
  - CVE-2012-3954

Author: Max Bowsher
Revision Date: 2012-07-25 08:30:54 UTC

Fix mangled duplication in debian/patches/03_spurious_test_failure

Author: Chris Coulson
Revision Date: 2011-06-17 14:59:49 UTC

* Upload for compatibility with Firefox 5 (LP: #798484)
* Make it possible to build without the Firefox bridge
  - add debian/patches/no-mozilla.patch
  - update debian/patches/series
* Don't build with --with-ff3 and drop the xulrunner-dev build-depend,
  therefore switching off the Firefox bridge
  - update debian/rules
  - update debian/control
  - remove debian/patches/xulrunner_20.patch
  - update debian/patches/series
  - remove debian/moonlight-plugin-mozilla.install
* Move the curl bridge from mozilla-plugin-chromium to mozilla-plugin-core,
  for sharing with Firefox
  - update debian/control
  - remove debian/moonlight-plugin-chromium.install
  - update debian/moonlight-plugin-core.install

Author: Chris Coulson
Revision Date: 2011-01-31 16:04:45 UTC

* Fix LP: #538796 - cannot open Firefox/Chromium/Chrome when moonlight
  is installed, due to a symbol collision with the icedtea plugin. Thanks
  to Evan Martin and Chris Toshok for figuring this out
  - add debian/patches/avoid_icedtea_symbol_collision.patch
  - update debian/patches/series
* Fix build with xulrunner 2.0
  - add debian/patches/xulrunner_20.patch
  - update debian/patches/series

Author: Steve Beattie
Revision Date: 2012-07-23 22:15:03 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Chris J Arges
Revision Date: 2012-07-16 08:39:03 UTC

increase buffer used for pam_authz_search (LP: #951343)

Author: Marc Deslauriers
Revision Date: 2012-07-19 13:46:27 UTC

* SECURITY UPDATE: denial of service and possible info disclosure via
  corrupted EXIF_TAG_COPYRIGHT tag (LP: #1024213)
  - debian/patches/CVE-2012-2812.patch: fix reading tags that aren't
    NUL-terminated in libexif/exif-entry.c.
  - CVE-2012-2812
* SECURITY UPDATE: denial of service and possible info disclosure via
  UTF-16 tag (LP: #1024213)
  - debian/patches/CVE-2012-2813.patch: don't read past the end of a
    tag when converting from UTF-16 in libexif/exif-entry.c.
  - CVE-2012-2813
* SECURITY UPDATE: denial of service and possible code execution via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2814.patch: fix buffer overflows in
    libexif/exif-entry.c.
  - CVE-2012-2814
* SECURITY UPDATE: denial of service and possible info disclosure via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2836.patch: fix buffer overflows in
    libexif/exif-data.c
  - CVE-2012-2836
* SECURITY UPDATE: denial of service via crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2837.patch: fix some possible
    division-by-zeros in libexif/olympus/mnote-olympus-entry.c.
  - CVE-2012-2837
* SECURITY UPDATE: denial of service and possible code execution via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2840.patch: fix off-by-one in
    libexif/exif-utils.c.
  - CVE-2012-2840
* SECURITY UPDATE: denial of service and possible code execution via
  incorrect buffer size (LP: #1024213)
  - debian/patches/CVE-2012-2841.patch: validate buffer length in
    libexif/exif-entry.c.
  - CVE-2012-2841

Author: Marc Deslauriers
Revision Date: 2012-07-19 13:46:27 UTC

* SECURITY UPDATE: denial of service and possible info disclosure via
  corrupted EXIF_TAG_COPYRIGHT tag (LP: #1024213)
  - debian/patches/CVE-2012-2812.patch: fix reading tags that aren't
    NUL-terminated in libexif/exif-entry.c.
  - CVE-2012-2812
* SECURITY UPDATE: denial of service and possible info disclosure via
  UTF-16 tag (LP: #1024213)
  - debian/patches/CVE-2012-2813.patch: don't read past the end of a
    tag when converting from UTF-16 in libexif/exif-entry.c.
  - CVE-2012-2813
* SECURITY UPDATE: denial of service and possible code execution via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2814.patch: fix buffer overflows in
    libexif/exif-entry.c.
  - CVE-2012-2814
* SECURITY UPDATE: denial of service and possible info disclosure via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2836.patch: fix buffer overflows in
    libexif/exif-data.c
  - CVE-2012-2836
* SECURITY UPDATE: denial of service via crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2837.patch: fix some possible
    division-by-zeros in libexif/olympus/mnote-olympus-entry.c.
  - CVE-2012-2837
* SECURITY UPDATE: denial of service and possible code execution via
  crafted tags (LP: #1024213)
  - debian/patches/CVE-2012-2840.patch: fix off-by-one in
    libexif/exif-utils.c.
  - CVE-2012-2840
* SECURITY UPDATE: denial of service and possible code execution via
  incorrect buffer size (LP: #1024213)
  - debian/patches/CVE-2012-2841.patch: validate buffer length in
    libexif/exif-entry.c.
  - CVE-2012-2841

Author: Max Bowsher
Revision Date: 2012-07-20 20:49:05 UTC

Actually add debian/patches/07_revert_no_tty

Author: Bruno Bigras
Revision Date: 2011-09-17 22:19:56 UTC

Fix a crash at startup, because of UnicodeDecodeError (LP: #786491)

Author: Steve Langasek
Revision Date: 2012-04-13 22:07:25 UTC

Only try to move links in /etc/rc{0,6}.d that match "S0*". LP: #941867.

Author: Robert Ancell
Revision Date: 2011-08-16 12:26:56 UTC

[ Keng-Yu Lin ]
* Add patches/03-More-retries-when-initialising-the-device.patch
  - Fix the bug of bluetooth staying disabled on resume (LP: #812132)

Author: Chris Coulson
Revision Date: 2012-07-13 23:08:02 UTC

* New upstream stable release (THUNDERBIRD_14_0_BUILD1)
  - see LP: #1024564 for USN information

[ Chris Coulson <chris.coulson@canonical.com> ]
* Update globalmenu-extension to 3.2.5
  - Fix a crash in uGlobalMenu::RecycleList::~RecycleList()
  - Fix LP: #1010580 - update the window event timestamp when handling
    menu events
* Drop patches fixed upstream
  - remove debian/patches/revert-bmo621446-investigation.patch
  - update debian/patches/series
* Refresh patches
  - update debian/patches/add-syspref-dir.patch
* Update desktop file translations
  - update debian/thunderbird.desktop.in
* Add application/x-xpinstall to the MimeType field of the desktop file
  - update debian/thunderbird.desktop.in
* Drop almost all mimetypes from the desktop file. Thunderbird won't display
  any of them if you invoke it with files of these types. It will just
  open a Compose window and add the file as an attachment
  - update debian/thunderbird.desktop.in
* Drop the ability to select between tree/system libraries using a single
  option in debian/rules. It adds additional complexity and was never used
  - update debian/config/mozconfig.in
  - update debian/control.in
  - update debian/thunderbird-dev.links.in
  - update debian/rules
* Shuffle the order of google-breakpad/src/common/dwarf/Makefile.in to fix a
  variable substitution issue, which was causing some objects to be built with
  the wrong compiler flags, resulting in dump_syms crashing (LP: #1002590)
  - add debian/patches/fix-makefile-substitution-bug.patch
* Don't set LD_LIBRARY_PATH in our shell wrapper, and install
  dependentlibs.list instead now
  - update debian/thunderbird.sh.in
  - update debian/thunderbird.install.in
* Drop StartupWMClass from the desktop file now that WM_CLASS is the same
  as the binary name (also fixes LP: #1012158)
  - update debian/thunderbird.desktop.in
  - update debian/rules
* Apport hook improvements:
  - Sort preferences alphabetically in the apport data
  - Treat preferences set in default addons as default prefs so that
    they don't show up in apport data, unless the preference files have
    been modified
  - Support random pref files dropped in to the Thunderbird install folder,
    and preferences from application bundles
  - Fix ordering issues when loading preferences
* Update the Apport blacklist file after dropping thunderbird-bin
  - update debian/apport/blacklist.in

[ Ben Collins <ben.collins@ubuntu.com> ]
* Cherry pick patch from aurora to use YARR interpreter on ppc
  - update debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series
* Fix ppc build due to new dtoa library
  - add debian/patches/fix-dtoa-build-on-ppc.patch
  - update debian/patches/series

Author: Marc Deslauriers
Revision Date: 2012-07-16 09:50:58 UTC

* SECURITY UPDATE: possible arbitrary code execution via heap overflow
  in tiff2pdf.
  - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in
    tools/tiff2pdf.c.
  - CVE-2012-3401

Author: Marc Deslauriers
Revision Date: 2012-07-16 09:50:58 UTC

* SECURITY UPDATE: possible arbitrary code execution via heap overflow
  in tiff2pdf.
  - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in
    tools/tiff2pdf.c.
  - CVE-2012-3401

Author: Chris Coulson
Revision Date: 2012-07-13 22:47:26 UTC

* New upstream stable release (FIREFOX_14_0_1_BUILD1)
  - see LP: #1024562 for USN information

[ Chris Coulson <chris.coulson@canonical.com> ]
* Update globalmenu-extension to 3.2.5
  - Fix LP: #1010580 - No choice of folder when adding a bookmark from
    the bookmark menu
  - Fix a crash in uGlobalMenu::RecycleList::~RecycleList()
* Refresh patches
  - update debian/patches/ubuntu-codes-google.patch
  - update debian/patches/allow-lockPref-everywhere.patch
  - update debian/patches/plugin-for-mimetype-pref.patch
  - update debian/patches/firefox-kde.patch
* Drop patches fixed upstream
  - remove debian/patches/revert-bmo-621446-investigation.patch
  - update debian/patches/series
* Update desktop file translations
  - update debian/firefox.sh.in
* Drop the application/vnd.mozilla.xul+xml mimetype from the desktop file.
  Firefox hasn't been able to view XUL files from non-chrome URI's since
  version 4.0
  - update debian/firefox.desktop.in
* Add application/x-xpinstall to the MimeType field of the desktop file
  - update debian/firefox.desktop.in
* Drop the ability to select between tree/system libraries using a single
  option in debian/rules. It adds additional complexity and was never used
  - update debian/config/mozconfig.in
  - update debian/control.in
  - update debian/firefox-dev.install.in
  - update debian/firefox-dev.links.in
  - update debian/pkgconfig/libxul.pc.in
  - update debian/rules
* Fix make-makefile test failure when the build directory contains
  perl regexp control characters
  - add debian/patches/make-makefile-test-fix.patch
  - update debian/patches/series
* Shuffle the order of google-breakpad/src/common/dwarf/Makefile.in to fix a
  variable substitution issue, which was causing some objects to be built with
  the wrong compiler flags, resulting in dump_syms crashing (LP: #1002590)
  - add debian/patches/fix-makefile-substitution-bug.patch
* Update StartupWMClass to the correct name
  - update debian/firefox.desktop.in
  - update debian/rules
* Add search plugin for DuckDuckGo
* Fix LP: #1000820 - firefox-dev conflicts with xulrunner-1.9-dev for
  people with the latter still installed
  - update debian/control{,.in}
* Add Fulah to locales.blacklist
* Fix LP: #1013186 - install our vendor preferences as application
  defaults rather than GRE defaults, so that they are loaded after
  the upstream defaults again. The upstream defaults were also moved
  as part of the webapp runtime work (which has it's own application
  defaults)
  - update debian/firefox.install.in
  - update debian/firefox.links.in
* Apport hook improvements:
  - Sort preferences alphabetically in the apport data
  - Treat preferences set in default addons as default prefs so that
    they don't show up in apport data, unless the preference files have
    been modified
  - Support random pref files dropped in to the Firefox install folder, and
    preferences from application bundles
  - Fix ordering issues when loading preferences
* Drop debian/patches/plugin-for-mimetype-pref.patch. The burden of
  carrying this is starting to outweigh the benefits of it

[ Ben Collins <ben.collins@ubuntu.com> ]
* Cherry pick patch from aurora to use YARR interpreter on ppc
  - update debian/patches/fix-build-failure-without-yarr-jit.patch
  - update debian/patches/series
* Fix ppc build due to new dtoa library
  - add debian/patches/fix-dtoa-build-on-ppc.patch
  - update debian/patches/series

Author: Marc Deslauriers
Revision Date: 2012-07-10 08:24:35 UTC

* SECURITY UPDATE: multiple July 2012 security issues
  - debian/patches/2.6.4-Puppet-July-2012-CVE-fixes.patch: fix multiple
    security issues. Patch from upstream, with an additional fix to
    lib/puppet/reports/store.rb.
  - CVE-2012-3864: arbitrary file read on master from authenticated
    clients
  - CVE-2012-3865: arbitrary file delete or denial of service on master
    from authenticated clients
  - CVE-2012-3867: insufficient input validation for agent cert hostnames

Author: Marc Deslauriers
Revision Date: 2012-07-10 08:24:35 UTC

* SECURITY UPDATE: multiple July 2012 security issues
  - debian/patches/2.6.4-Puppet-July-2012-CVE-fixes.patch: fix multiple
    security issues. Patch from upstream, with an additional fix to
    lib/puppet/reports/store.rb.
  - CVE-2012-3864: arbitrary file read on master from authenticated
    clients
  - CVE-2012-3865: arbitrary file delete or denial of service on master
    from authenticated clients
  - CVE-2012-3867: insufficient input validation for agent cert hostnames

Author: Jamie Strandboge
Revision Date: 2012-07-09 17:40:00 UTC

* SECURITY UPDATE: fix buffer overflow in HarfBuzz
  - debian/patches/CVE-2011-3193.patch: adjust Lookup_MarkMarkPos() in
    harfbuzz-gpos.c to properly perform input validation when processing
    certain fonts
  - CVE-2011-3193
* SECURITY UPDATE: fix potential buffer overflow and crash in TIFF reader
  - debian/patches/CVE-2011-3194.patch: adjust QTiffHandler::read() to
    properly calculate the bits per pixel for greyscale TIFF images
  - CVE-2011-3194

Author: Jamie Strandboge
Revision Date: 2012-07-09 17:40:00 UTC

* SECURITY UPDATE: fix buffer overflow in HarfBuzz
  - debian/patches/CVE-2011-3193.patch: adjust Lookup_MarkMarkPos() in
    harfbuzz-gpos.c to properly perform input validation when processing
    certain fonts
  - CVE-2011-3193
* SECURITY UPDATE: fix potential buffer overflow and crash in TIFF reader
  - debian/patches/CVE-2011-3194.patch: adjust QTiffHandler::read() to
    properly calculate the bits per pixel for greyscale TIFF images
  - CVE-2011-3194

Author: Brian Murray
Revision Date: 2011-07-29 10:45:59 UTC

* Include bug fixes from upstream
  - report.py: Fix bug patterns to correctly match against compressed report
    (LP: #814729)
  - generic hook: Don't report package installation failures due to
    segfaulting maintainer scripts. We want the actual crash report only.
    (LP: #814727)

Author: Brian Murray
Revision Date: 2011-07-29 10:45:59 UTC

* Include bug fixes from upstream
  - report.py: Fix bug patterns to correctly match against compressed report
    (LP: #814729)
  - generic hook: Don't report package installation failures due to
    segfaulting maintainer scripts. We want the actual crash report only.
    (LP: #814727)

Author: Kees Cook
Revision Date: 2011-04-20 16:27:06 UTC

[ Kees Cook ]
* debian/rules: really ignore "start" result at install (LP: #767829).

[ Brian Murray ]
* Only prepend linux bug titles with [STAGING] if a title exists
  (LP: #767864).

Author: Christian Perrier
Revision Date: 2010-10-19 07:23:41 UTC

* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
  - Spanish (Omar Campagne). Closes: #589495
  - Italian (Vincenzo Campanella). Closes: #600439
  - Spanish (Omar Campagne). Closes: #600535
  - Finnish (Esko Arajärvi). Closes: #600635

Author: Jamie Strandboge
Revision Date: 2012-06-20 16:58:25 UTC

* SECURITY UPDATE: fix integer overflows in graphic loading code
  - debian/patches/CVE-2012-1149.patch: adjust vcl/source/gdi/pngread.cxx to
    fail earlier on oversized images and properly verify chunks. Also adjust
    basebmp/source/bitmapdevice.cxx to to properly verify height and width.
    Properly verify width and height in
    svtools/source/filter.vcl/jpeg/jpeg.cxx
  - CVE-2012-1149
* SECURITY UPDATE: fix integer overflow when processing Escher graphics
  records in PowerPoint documents
  - debian/patches/CVE-2012-2334.patch: properly verify record lengths in
    filter/source/msfilter/msdffimp.cxx and msdffimp.hxx
  - CVE-2012-2334

Author: Björn Michaelsen
Revision Date: 2011-07-05 11:26:41 UTC

* merged all changes up to 3.3.3-1ubuntu1
* regenerate control

Author: Jamie Strandboge
Revision Date: 2012-06-20 16:58:25 UTC

* SECURITY UPDATE: fix integer overflows in graphic loading code
  - debian/patches/CVE-2012-1149.patch: adjust vcl/source/gdi/pngread.cxx to
    fail earlier on oversized images and properly verify chunks. Also adjust
    basebmp/source/bitmapdevice.cxx to to properly verify height and width.
    Properly verify width and height in
    svtools/source/filter.vcl/jpeg/jpeg.cxx
  - CVE-2012-1149
* SECURITY UPDATE: fix integer overflow when processing Escher graphics
  records in PowerPoint documents
  - debian/patches/CVE-2012-2334.patch: properly verify record lengths in
    filter/source/msfilter/msdffimp.cxx and msdffimp.hxx
  - CVE-2012-2334

Author: Björn Michaelsen
Revision Date: 2011-04-18 11:55:37 UTC

merged all changes from ubuntu-natty-3.3.1 up to 3.3.2-1ubuntu3

Author: Colin Watson
Revision Date: 2012-01-06 12:29:11 UTC

[ Scott Moser ]
Add --quiet to dpkg-divert calls in chroot_setup.

Author: Colin Watson
Revision Date: 2011-08-16 11:36:25 UTC

Honour apt-setup/security_path when constructing initial security
entries in sources.list (LP: #820306).

Author: Steve Langasek
Revision Date: 2012-07-03 10:37:13 UTC

Call date -s $(date -R) on upgrade, to resync any clocks that might
be desynced (and causing pthread spinning in the kernel) due to the leap
second. LP: #1020285.

Author: Michael Terry
Revision Date: 2011-06-17 10:36:34 UTC

* debian/patches/stop-forgetting-external-drives.patch:
  - Fix "Preferences aren't saved" (LP: #774897)

Author: Michael Terry
Revision Date: 2011-06-17 10:36:34 UTC

* debian/patches/stop-forgetting-external-drives.patch:
  - Fix "Preferences aren't saved" (LP: #774897)

Author: Chris Coulson
Revision Date: 2012-03-23 09:52:28 UTC

* Fix LP: #956961 - Firefox 11 doesn't use system proxy settings anymore
  in Ubuntu 11.04. By default in Ubuntu 11.04, we install the proxy settings
  schema even though it isn't consumed by anything. Now that Firefox uses
  gsettings for the proxy settings (if the schema exists), having the schema
  installed breaks things in 11.04. Note that the same is also true for the
  background settings, so we drop both the proxy and background schemas
  from this package
  - update debian/rules

Author: Chris Coulson
Revision Date: 2012-03-23 09:52:28 UTC

* Fix LP: #956961 - Firefox 11 doesn't use system proxy settings anymore
  in Ubuntu 11.04. By default in Ubuntu 11.04, we install the proxy settings
  schema even though it isn't consumed by anything. Now that Firefox uses
  gsettings for the proxy settings (if the schema exists), having the schema
  installed breaks things in 11.04. Note that the same is also true for the
  background settings, so we drop both the proxy and background schemas
  from this package
  - update debian/rules

Author: Jamie Strandboge
Revision Date: 2012-06-29 07:28:16 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-06-29 07:28:16 UTC

fake sync from Debian

Author: Marc Deslauriers
Revision Date: 2012-06-27 15:24:10 UTC

* SECURITY UPDATE: incorrect ElGamal key generation
  - debian/patches/CVE-2012-2417.patch: generate safe prime numbers in
    lib/Crypto/PublicKey/ElGamal.py, backport getRandomRange() to
    lib/Crypto/Util/number.py.
  - CVE-2012-2417

Author: Marc Deslauriers
Revision Date: 2012-06-27 15:24:10 UTC

* SECURITY UPDATE: incorrect ElGamal key generation
  - debian/patches/CVE-2012-2417.patch: generate safe prime numbers in
    lib/Crypto/PublicKey/ElGamal.py, backport getRandomRange() to
    lib/Crypto/Util/number.py.
  - CVE-2012-2417

Author: Tim Gardner
Revision Date: 2011-09-12 19:28:14 UTC

no change upload with version difference.

Author: Tim Gardner
Revision Date: 2011-09-12 19:28:14 UTC

no change upload with version difference.

Author: Max Bowsher
Revision Date: 2012-06-27 22:54:46 UTC

* Backport:
  - Remove multiarch support.

Author: Chris Coulson
Revision Date: 2012-06-27 20:29:51 UTC

* New upstream release v2.1.1
  - Drop the alternative plugin selector, as it depends on a patch that
    we no longer carry in Firefox

Author: Chris Coulson
Revision Date: 2012-06-27 20:29:51 UTC

* New upstream release v2.1.1
  - Drop the alternative plugin selector, as it depends on a patch that
    we no longer carry in Firefox

Author: Micah Gersten
Revision Date: 2012-06-25 12:59:34 UTC

[ Chris Coulson ]
* Set the correct startup timestamp when launching applications; This an
  additional fix for the issue of Firefox/Thunderbird changing the
  way that they handle windows based on timestamps (LP: #1016386)
  - update launcher/UnityApplications/launcherapplication.cpp

Author: Micah Gersten
Revision Date: 2012-06-25 12:59:34 UTC

[ Chris Coulson ]
* Set the correct startup timestamp when launching applications; This an
  additional fix for the issue of Firefox/Thunderbird changing the
  way that they handle windows based on timestamps (LP: #1016386)
  - update launcher/UnityApplications/launcherapplication.cpp

Author: Steve Beattie
Revision Date: 2012-06-18 16:53:32 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2012-06-18 16:53:32 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2012-06-08 11:27:50 UTC

* SECURITY UPDATE: Fix XML External Entity (XXE) attack
 - debian/patches/02-CVE-2012-0037.patch: Enforce entity loading policy in
   raptor_libxml_resolveEntity and raptor_libxml_getEntity by checking for
   file URIs and network URIs.
 - CVE-2012-0037

Author: Jamie Strandboge
Revision Date: 2012-06-08 11:27:50 UTC

* SECURITY UPDATE: Fix XML External Entity (XXE) attack
 - debian/patches/02-CVE-2012-0037.patch: Enforce entity loading policy in
   raptor_libxml_resolveEntity and raptor_libxml_getEntity by checking for
   file URIs and network URIs.
 - CVE-2012-0037

Author: Marc Deslauriers
Revision Date: 2012-06-12 10:26:36 UTC

* Update to 0.7.6 to fix multiple security issues. (LP: #1012132)
  - CVE-2011-3929
  - CVE-2011-3936
  - CVE-2011-3940
  - CVE-2011-3945
  - CVE-2011-3947
  - CVE-2011-3951
  - CVE-2011-3952
  - CVE-2012-0850
  - CVE-2012-0851
  - CVE-2012-0852
  - CVE-2012-0853
  - CVE-2012-0858
  - CVE-2012-0859
  - CVE-2012-0947

Author: Jamie Strandboge
Revision Date: 2012-06-15 07:59:17 UTC

* SECURITY UPDATE: Disable apt-key net-update for now, as validation
  code is still insecure
  - cmdline/apt-key: exit 1 immediately in net_update()
  - CVE-2012-0954
  - LP: #1013639

Author: Jamie Strandboge
Revision Date: 2012-06-15 07:59:17 UTC

* SECURITY UPDATE: Disable apt-key net-update for now, as validation
  code is still insecure
  - cmdline/apt-key: exit 1 immediately in net_update()
  - CVE-2012-0954
  - LP: #1013639

Author: Thomas Ward
Revision Date: 2012-05-20 13:05:42 UTC

* Security update (closes LP: #956150):
  * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
  * Patch to fix 'Heap-based buffer overflow in compression-pointer
    processing in core/ngx_resolver.c' (CVE-2011-4315).

Author: Thomas Ward
Revision Date: 2012-05-20 13:05:42 UTC

* Security update (closes LP: #956150):
  * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
  * Patch to fix 'Heap-based buffer overflow in compression-pointer
    processing in core/ngx_resolver.c' (CVE-2011-4315).

Author: Marc Deslauriers
Revision Date: 2012-06-13 14:57:45 UTC

Rebuild against libav security update

Author: Marc Deslauriers
Revision Date: 2012-06-13 14:57:45 UTC

Rebuild against libav security update

Author: Micah Gersten
Revision Date: 2012-06-05 01:54:14 UTC

* fix LP: #989184 - Firefox 12's launcher script is not allowed in
  abstractions/ubuntu-browsers; This was a regression from the firefox
  path changing to a non-versioned path in the Firefox 12 packaging
  - add debian/patches/0016-lp989184.patch
  - update debian/patches/series
* fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
  This was a regression from the Thunderbird path changing to a non-versioned
  path in the Thunderbird 12 packaging
  - add debian/patches/0015-lp990931.patch
  - update debian/patches/series