[Monitoring] apt-listchanges : nouveautés pour quigon.federez.net

ca-certificates (20161102) unstable; urgency=medium Update Mozilla certificate authority bundle to version 2.9. The following certificate authorities were added (+): + "Certplus Root CA G1" + "Certplus Root CA G2" + "Certum Trusted Network CA 2" + "Hellenic Academic and Research Institutions ECC RootCA 2015" + "Hellenic Academic and Research Institutions RootCA 2015" + "ISRG Root X1" + "OpenTrust Root CA G1" + "OpenTrust Root CA G2" + "OpenTrust Root CA G3" + "SZAFIR ROOT CA2" The following certificate authorities were removed (-): - "CA Disig" - "NetLock Business (Class B) Root" - "NetLock Express (Class C) Root" - "NetLock Notary (Class A) Root" - "NetLock Qualified (Class QA) Root" - "Sonera Class 1 Root CA" - "Staat der Nederlanden Root CA" - "Verisign Class 1 Public Primary Certification Authority - G2" - "Verisign Class 3 Public Primary Certification Authority" - "Verisign Class 3 Public Primary Certification Authority - G2" -- Michael Shuler &lt;michael(a)pbandjelly.org&gt; Wed, 02 Nov 2016 21:15:03 -0500 ca-certificates (20151214) unstable; urgency=medium Removed SPI CA. Closes: #796208 Updated Mozilla certificate authority bundle to version 2.6. The following certificate authorities were added (+): + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + "Certinomis - Root CA" + "OISTE WISeKey Global Root GB CA" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" The following certificate authorities were removed (-): - "A-Trust-nQual-03" - "Buypass Class 3 CA 1" - "ComSign Secured CA" - "Digital Signature Trust Co. Global CA 1" - "Digital Signature Trust Co. Global CA 3" - "SG TRUST SERVICES RACINE" - "TC TrustCenter Class 2 CA II" - "TC TrustCenter Universal CA I" - "TURKTRUST Certificate Services Provider Root 1" - "TURKTRUST Certificate Services Provider Root 2" - "UTN DATACorp SGC Root CA" - "Verisign Class 4 Public Primary Certification Authority - G3" -- Michael Shuler &lt;michael(a)pbandjelly.org&gt; Mon, 14 Dec 2015 18:51:50 -0600 ca-certificates (20150426) unstable; urgency=medium Update Mozilla certificate authority bundle to version 2.4. The following certificate authorities were added (+): + "CFCA EV ROOT" + "COMODO RSA Certification Authority" + "Entrust Root Certification Authority - EC1" + "Entrust Root Certification Authority - G2" + "GlobalSign ECC Root CA - R4" + "GlobalSign ECC Root CA - R5" + "IdenTrust Commercial Root CA 1" + "IdenTrust Public Sector Root CA 1" + "S-TRUST Universal Root CA" + "Staat der Nederlanden EV Root CA" + "Staat der Nederlanden Root CA - G3" + "USERTrust ECC Certification Authority" + "USERTrust RSA Certification Authority" Closes: #762709 The following certificate authorities were removed (-): - "America Online Root Certification Authority 1" - "America Online Root Certification Authority 2" - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" - "GTE CyberTrust Global Root" - "Thawte Premium Server CA" - "Thawte Server CA" -- Michael Shuler &lt;michael(a)pbandjelly.org&gt; Sun, 26 Apr 2015 10:37:48 -0500 glibc (2.21-2) unstable; urgency=medium Starting with version 2.21-1, the glibc requires a 3.2 or later Linux kernel. If you use an older kernel, please upgrade it *before* installing this glibc version. Failing to do so will end-up with the following failure: Preparing to unpack .../libc6_2.21-1_amd64.deb ... Checking for services that may need to be restarted... Checking init scripts... WARNING: this version of the GNU libc requires kernel version 3.2 or later. Please upgrade your kernel before installing glibc. Note: This obviously does not apply to non-Linux kernels. -- Aurelien Jarno &lt;aurel32(a)debian.org&gt; Thu, 03 Dec 2015 22:46:21 +0100 gnupg2 (2.1.11-7+exp1) experimental; urgency=medium The gnupg package now provides the "modern" version of GnuPG. Please read /usr/share/doc/gnupg/README.Debian for details about the transition from "classic" to "modern" -- Daniel Kahn Gillmor &lt;dkg(a)fifthhorseman.net&gt; Wed, 30 Mar 2016 09:59:35 -0400 ifupdown (0.8.17) unstable; urgency=medium Ifupdown now also configures VLANs for bridge interfaces. (Previously, the bridge-utils package integrated with the vlan package to do this via if-up hooks, however since bridge-utils 1.5-11 this integration has been removed.) -- Guus Sliepen &lt;guus(a)debian.org&gt; Tue, 10 Jan 2017 17:20:09 +0100 ifupdown (0.8.1) unstable; urgency=medium The /etc/default/networking file is now read even when systemd is used, although its use is not recommended. -- Guus Sliepen &lt;guus(a)debian.org&gt; Wed, 02 Dec 2015 23:25:41 +0100 ifupdown (0.8) unstable; urgency=medium Ifupdown now comes with a systemd service file. Any options specified in /etc/default/networking will no longer be used. If you are using CONFIGURE_INTERFACES=no, then run "systemctl disable networking" instead. If you are using EXCLUDE_INTERFACES, then edit /etc/network/interfaces and remove those interfaces from any "auto" keywords. Ifupdown will now be more strict when errors occur, and will also properly return a non-zero exit code when (de)configuring an interface fails. Please ensure your /etc/network/interfaces is correct and that your interfaces can be brought up and down without errors, especially during system startup. Ifupdown now has more fine-grained locking, allowing concurrent calls of ifup and ifdown. It is also allowed to call ifup and ifdown from a (pre-)up or (post-)down line from /etc/network/interfaces, as long as no recursion occurs. You can now use the "inherits" keyword to copy settings from another interface stanza. RFC 4361 DDNS support is now enabled by default for inet dhcp interfaces if isc-dhcp-client is installed. -- Guus Sliepen &lt;guus(a)debian.org&gt; Sun, 22 Nov 2015 21:19:44 +0100 initramfs-tools (0.129) unstable; urgency=medium * Some systems that do not support suspend-to-disk (hibernation) will require a configuration change to explicitly disable this. From version 0.128, the boot code waits for a suspend/resume device to appear, rather than checking just once. If the configured or automatically selected resume device is not available at boot time, this results in a roughly 30 second delay. You should set the RESUME variable in /etc/initramfs-tools/conf.d/resume or /etc/initramfs-tools/initramfs.conf to one of: - auto - select the resume device automatically - none - disable use of a resume device - UUID=<uuid> - use a specific resume device (by UUID) - /dev/<name> - use a specific resume device (by kernel name) -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Thu, 20 Apr 2017 23:21:32 +0100 initramfs-tools (0.121~rc1) unstable; urgency=medium * If initramfs-tools is configured to use busybox but it is not installed, mkinitramfs will now fail. Previously it would quietly use klibc instead, sometimes producing a broken initramfs. You may need to modify /etc/initramfs-tools/initramfs.conf or install busybox when upgrading. * Support for loop-aes has been removed. If you use loop-aes encryption for the root or /usr filesystem, you will need to switch to cryptsetup. See the 'loop-AES extension' section in cryptsetup(8). -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Tue, 22 Dec 2015 21:56:40 +0000 iputils (3:20150815-1) unstable; urgency=medium As of 3:20150815-1, the ping and ping6 commands are unified in a single binary that can communicate with targets of either address family. In order to force the use of a specific address family, you need to either pass the argument -4 or -6 on the command line, or call the program via one of the ping4 or ping6 names. You will need to be particularly aware of this change if you're invoking ping via a script as part of a monitoring or other such automated system. -- Noah Meyerhans &lt;noahm(a)debian.org&gt; Fri, 19 Feb 2016 22:26:30 -0800 kbd (2.0.3-2) unstable; urgency=medium The kbd init script is no longer supported. If configuration in /etc/kbd/config and /etc/kbd/remap is unmodified there will be an attempt to automatically clean up those files as well as the /etc/init.d/kbd init script on upgrades, if not THEY ARE LEFT IN PLACE and considered owned by the local admin. Most people probably use console-setup to configure their console, but this is not a requirement on Debian. We prefer always having something arond that configures the console which is why we don't unconditionally drop the above files. You can use the following command to check if you have console-setup installed: dpkg-query -s console-setup If it says "...is not installed..." you might want to start using console-setup by installing it: apt-get install console-setup Unless you know you want to keep using the obsolete init script and maintain it yourself you're recommended to make sure they are removed using the following commands: rm -f /etc/init.d/kbd /etc/kbd/config /etc/kbd/remap && rmdir /etc/kbd update-rc.d -f kbd remove -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Tue, 05 Jan 2016 17:55:55 +0100 libcgi-pm-perl (4.15-1) unstable; urgency=medium From upstream Changes, 4.15: - This release removes the AUTOLOAD and compile optimisations from CGI.pm that were introduced into CGI.pm twenty (20) years ago as a response to its large size, which meant there was a significant compile time penalty. [...] - This essentially deprecates the -compile pragma and ->compile method. The -compile pragma will no longer do anything, whereas the ->compile method will raise a deprecation warning. More importantly this also REMOVES the -any pragma because as per the documentation this pragma needed to be "used with care or not at all" and allowing arbitrary HTML tags is almost certainly a bad idea. If you are using the -any pragma and using arbitrary tags (or have typo's in your code) your code will *BREAK* - Although this release should be back compatible (with the exception of any code using the -any pragma) you are encouraged to test it throughly as if you are doing anything out of the ordinary with CGI.pm (i.e. have bugs that may have been masked by the AUTOLOAD feature) you may see some issues. From upstream Changes, 4.13: - CGI::Pretty is now DEPRECATED and will be removed in a future release. Please see GH #162 (https://github.com/leejo/CGI.pm/issues/162) for more information and discussion (also GH #140 for HTML function deprecation discussion: https://github.com/leejo/CGI.pm/issues/140) -- gregor herrmann &lt;gregoa(a)debian.org&gt; Sat, 09 May 2015 22:01:44 +0200 linux-latest (76) unstable; urgency=medium * From Linux 4.8, several changes have been made in the kernel configuration to 'harden' the system, i.e. to mitigate security bugs. Some changes may cause legitimate applications to fail, and can be reverted by run-time configuration: - On most architectures, the /dev/mem device can no longer be used to access devices that also have a kernel driver. This breaks dosemu and some old user-space graphics drivers. To allow this, set the kernel parameter: iomem=relaxed - The kernel log is no longer readable by unprivileged users. To allow this, set the sysctl: kernel.dmesg_restrict=0 -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Sat, 29 Oct 2016 02:05:32 +0100 linux-latest (75) unstable; urgency=medium * From Linux 4.7, the iptables connection tracking system will no longer automatically load helper modules. If your firewall configuration depends on connection tracking helpers, you should explicitly load the required modules. For more information, see <https://home.regit.org/netfilter-en/secure-use-of-helpers/>. -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Sat, 29 Oct 2016 01:53:18 +0100 net-tools (1.60+git20161116.90da8a0-1) unstable; urgency=medium After 15 years without upstream development, net-tools is being worked on again, fixing many long-standing issues. The bad news is that the output of many commands has changed, and it is sure to break scripts that relied on parsing it. If you have customs scripts that use any of these commands, please make sure they still work after this upgrade: netstat, ifconfig, ipmaddr, iptunnel, mii-tool, nameif, plipconfig, rarp, route, slattach, arp. Apologies in advance for the trouble that this may cause, but maintaining a separate version of net-tools just to keep the old format is something I am not able to do. -- Martín Ferrari &lt;tincho(a)debian.org&gt; Mon, 26 Dec 2016 05:29:25 +0000 ntp (1:4.2.8p4+dfsg-2) unstable; urgency=medium You now need to use "rlimit memlock -1" to disable locking memory. The behaviour for ""rlimit memlock 0" changed between 4.2.8p3 and 4.2.8p4 and it now tries to lock all the memory. But for various people this still breaks things. -- Kurt Roeckx &lt;kurt(a)roeckx.be&gt; Thu, 22 Oct 2015 18:58:56 +0200 opendkim (2.11.0~alpha-8) unstable; urgency=medium On systems using systemd, this version replaces /etc/default/opendkim with the files /etc/systemd/system/opendkim.service.d/overrride.conf and /etc/tmpfiles.d/opendkim.conf carrying over non-default settings. Note: since /etc/default/opendkim is removed if you are using systemd, if you later switch back to sysvinit, you will have to manually recreate it if needed. -- Scott Kitterman &lt;scott(a)kitterman.com&gt; Mon, 07 Nov 2016 12:14:31 -0500 openssh (1:7.4p1-7) unstable; urgency=medium This version restores the default for AuthorizedKeysFile to search both ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in Debian configurations before 1:7.4p1-1. Upstream intends to phase out searching ~/.ssh/authorized_keys2 by default, so you should ensure that you are only using ~/.ssh/authorized_keys, at least for critical administrative access; do not assume that the current default will remain in place forever. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Sun, 05 Mar 2017 02:12:42 +0000 openssh (1:7.4p1-1) unstable; urgency=medium OpenSSH 7.4 includes a number of changes that may affect existing configurations: * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. * sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time. * sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. * sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions. The unprivileged sshd process that deals with pre-authentication network traffic is now subject to additional sandboxing restrictions by default: that is, the default sshd_config now sets UsePrivilegeSeparation to "sandbox" rather than "yes". This has been the case upstream for a while, but until now the Debian configuration diverged unnecessarily. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Tue, 27 Dec 2016 18:01:46 +0000 openssh (1:7.2p1-1) unstable; urgency=medium OpenSSH 7.2 disables a number of legacy cryptographic algorithms by default in ssh: * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. * MD5-based and truncated HMAC algorithms. These algorithms are already disabled by default in sshd. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Tue, 08 Mar 2016 11:47:20 +0000 openssh (1:7.1p1-2) unstable; urgency=medium OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe cryptography. * Support for the legacy SSH version 1 protocol is disabled by default at compile time. Note that this also means that the Cipher keyword in ssh_config(5) is effectively no longer usable; use Ciphers instead for protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1", and "ssh-keygen1" binaries which you can use if you have no alternative way to connect to an outdated SSH1-only server; please contact the server administrator or system vendor in such cases and ask them to upgrade. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for the legacy v00 cert format has been removed. Future releases will retire more legacy cryptography, including: * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits). * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants, and the rijndael-cbc aliases for AES. * MD5-based HMAC algorithms will be disabled by default. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Tue, 08 Dec 2015 15:33:08 +0000 openssh (1:6.9p1-1) unstable; urgency=medium UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Thu, 20 Aug 2015 10:38:58 +0100 openssl (1.1.0c-3) unstable; urgency=medium The openssl enc command changed the default digest (used to create the key from passphrase) from MD5 to SHA256 since the version 1.1.0. The digest can be specified with the -md option. -- Sebastian Andrzej Siewior &lt;sebastian(a)breakpoint.cc&gt; Tue, 27 Dec 2016 23:37:36 +0100 pinentry-gtk2 (0.9.6-3) unstable; urgency=medium Since pinentry-gtk2 0.9.6, upstream now uses the default GTK text entry widget instead of a custom text-entry widget. The GTK text entry widget in password mode may display characters while typed based on the setting of gtk-entry-password-hint-timeout. This value defaults to 0 (never display), but may be overridden in /etc/gtk-2.0/gtkrc or ~/.gtkrc-2.0. If your password entry shows the last character typed, please ensure that this value is not set in your system's configuration files. See https://developer.gnome.org/gtk2/stable/GtkSettings.html#GtkSettings--gtk-e… and https://bugs.debian.org/801757 for more details. -- Daniel Kahn Gillmor &lt;dkg(a)fifthhorseman.net&gt; Mon, 19 Oct 2015 20:39:25 -0400 systemd (231-1) unstable; urgency=low This version drops support for running /etc/rcS.d SysV init scripts. These are prone to cause dependency loops, and almost all Debian packages with rcS scripts now ship a native systemd service. If you have custom or third-party rcS scripts you need to convert them or change them to run in rc2.d/ - rc5.d/; see this page for details: <https://wiki.debian.org/Teams/pkg-systemd/rcSMigration>. -- Martin Pitt &lt;mpitt(a)debian.org&gt; Thu, 14 Jul 2016 12:54:34 +0200 systemd (224-2) unstable; urgency=medium This version splits out systemd-nspawn, systemd-machined, and machinectl into the new "systemd-container" package. That now also enables systemd-importd. -- Martin Pitt &lt;mpitt(a)debian.org&gt; Sat, 22 Aug 2015 15:58:43 +0200 duplicity (0.7.03-1) unstable; urgency=low include/exclude behaviour include and exclude filelist now support globbing, but the behaviour has changed somewhat: please refer to /usr/share/doc/duplicity/changelog.gz (and the duplicity manpage) for further details. -- Alexander Zangerl &lt;az(a)debian.org&gt; Sun, 07 Jun 2015 13:13:05 +1000 duplicity (0.7.02-1) unstable; urgency=low scp:// access and restricted shells Version 0.7 is pickier about commands failing on a target host, and aborts in that case. This will affect you if you are using a restrictive shell like rssh together with scp:// access, as duplicity will try to check and mkdir the backup dir using an interactive ssh connection - which rssh disallows. (scp does not have any facility for directory listings or creation.) Solution: use the sftp:// access mechanism. -- Alexander Zangerl &lt;az(a)debian.org&gt; Wed, 25 Mar 2015 21:14:10 +1000 fail2ban (0.9.0+git48-gabcab00-1) experimental; urgency=low [ Yaroslav Halchenko ] * This version went through big refactoring which allowed to gain new features such as multiline matching (see upstream's changelog for more information). * Although .local files are still supported, customizations are advised to be provided under corresponding .d/ directories. E.g. see /etc/fail2ban/jail.d/defaults-debian.conf which is where now sshd jail is enabled by default to match previous behavior of Fail2Ban in Debian. [ Daniel Schaal ] * All jails definitions were rewritten to become more concise and uniform. From this version on log paths are defined in distro specific files, for Debian this is in /etc/fail2ban/paths-debian.conf. -- Yaroslav Halchenko &lt;debian(a)onerussian.com&gt; Tue, 25 Mar 2014 08:38:31 -0400 lsb (9.20150826) unstable; urgency=low This update drops all lsb-* compatibility packages, and is therefore an abandon of the pursuit of LSB compatibility for Debian. Only lsb-release and lsb-base are kept as they continue to be used throughout the archive. -- Didier Raboud &lt;odyx(a)debian.org&gt; Wed, 26 Aug 2015 12:00:00 +0200 make-dfsg (4.1-2) unstable; urgency=low WARNING: Backward-incompatibility! The ar program in the binutils package in Debian is now configured with --enable-deterministic-archives. This change makes the archives reproducible, by setting the UID, GID, and timestamp to 0. However, when dealing with archives created with the libxx(*.o) style rules, make needs the timestamp of the file in order to decide to update it or not. With the current deterministic behavior of ar, the time stamp is always 0. This has consequences, since make will fall back to always adding each member to the archive, whether or not it is required. This is a change in behaviour, and, for instance, it makes make fail to build, failing 7 out of 10 archive tests. . Since binutils will create archive with time stamps set to 0 when running in "deterministic" mode, make will always try to update such members. When this is detected, make will emit a warning. . There is some online discussion: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798804 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798913 https://bugzilla.redhat.com/show_bug.cgi?id=1195883 -- Manoj Srivastava &lt;srivasta(a)debian.org&gt; Mon, 18 Jan 2016 16:09:19 -0800 python-lockfile (1:0.10.2-1) unstable; urgency=low As of version 0.9, the Python API in ‘lockfile’ breaks backward compatibility with older versions. From the upstream release notes: * The names of the three main classes have changed as follows: LinkFileLock -> LinkLockFile MkdirFileLock -> MkdirLockFile SQLiteFileLock -> SQLiteLockFile Any Python code written to use the names from older APIs will break in this version. Such code needs to be migrated to use the new names. -- Ben Finney &lt;ben+debian(a)benfinney.id.au&gt; Wed, 06 May 2015 10:38:38 +1000