2 Mai
2015
2 Mai
'15
01:46
initramfs-tools (0.119) unstable; urgency=medium
* The initramfs will now run fsck on the root filesystem before
mounting it. If the chosen init program is systemd and there is a
separate /usr filesystem, it will also fsck and mount /usr.
* If /usr is a separate filesystem on a RAID device and the INITRDSTART
setting in /etc/default/mdadm is not 'all', you will need to change it
to include that device.
* If /usr is a separate filesystem on an LVM logical volume, and the
line for /usr in /etc/fstab specifies the device by UUID or LABEL,
you must change this line to specify the device using the format
/dev/mapper/VG-LV or /dev/VG/LV.
* It is no longer possible to bind-mount the /usr filesystem.
* If the RTC (real time clock) is set to local time and the local time is
ahead of UTC, e2fsck will print a warning during boot about the time
changing backward (bug #767040). You can disable this by putting the
following lines in /etc/e2fsck.conf:
[options]
broken_system_clock=1
-- Ben Hutchings <ben(a)decadent.org.uk> Mon, 13 Apr 2015 01:00:21 +0100
libdbd-pg-perl (3.0.0-1) unstable; urgency=medium
From upstream Changes:
- Major change in UTF-8 handling. If client_encoding is set to UTF-8,
always mark returned Perl strings as utf8. See the pg_enable_utf8 docs
for more information.
-- gregor herrmann <gregoa(a)debian.org> Wed, 12 Feb 2014 19:32:53 +0100
linux-latest (47) unstable; urgency=medium
* The kernel image is now compressed using xz compression. If you are
running it under a virtualisation system such as Xen, that will
decompress the kernel itself, then you will need to ensure that the
system is up to date and includes support for such kernels.
The Xen system included in Debian 7 'wheezy' does support this.
See https://wiki.debian.org/Xen#Error_.22unknown_compression_format.22
for more information.
-- Ben Hutchings <ben(a)decadent.org.uk> Thu, 14 Aug 2014 02:20:57 +0100
openssh (1:6.7-5) unstable; urgency=medium
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
a number of specific LC_FOO variables rather than the wildcard LC_*. I
have since been persuaded that this was a bad idea and have reverted it,
but it is difficult to automatically undo the change to
/etc/ssh/sshd_config without compounding the problem (that of modifying
configuration that some users did not want to be modified) further. Most
users who upgraded via version 1:6.7p1-4 should restore the previous value
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
-- Colin Watson <cjwatson(a)debian.org> Sun, 22 Mar 2015 23:09:32 +0000
php5 (5.6.0~rc3+dfsg-2) unstable; urgency=medium
* The default session.save_path has been changed from /var/lib/php5
to /var/lib/php5/sessions.
-- Ondřej Surý <ondrej(a)debian.org> Thu, 14 Aug 2014 10:20:59 +0200
php5 (5.6.0~beta4+dfsg-2) unstable; urgency=medium
* Full upstream upgrade notes are available at:
/usr/share/doc/php5-common/UPGRADING.gz
* The backwards incompatible changes introduced in PHP 5.6:
- Core:
By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
arrays. Quick example to illustrate:
class Test {
const FIRST = 1;
public $array = array(
self::FIRST => 'first',
'second',
'third'
);
}
Test::$array will have as expected three array keys (1, 2, 3) and no longer
two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
but will mark the beginning of indexing.
- JSON:
json_decode() no longer accepts non-lowercase variants of lone JSON true,
false or null values. For example, True or FALSE will now cause json_decode to
return NULL and set an error value you can fetch with json_last_error().
This affects JSON texts consisting solely of true, false or null. Text
containing non-lowercase values inside JSON arrays or objects has never been
accepted.
- OpenSSL:
To prevent man-in-the-middle attacks against encrypted transfers client
streams now verify peer certificates by default. Previous versions
required users to manually enable peer verification. As a result of this
change, existing code using ssl:// or tls:// stream wrappers (e.g.
file_get_contents(), fsockopen(), stream_socket_client()) may no longer
connect successfully without manually disabling peer verification via the
stream context's "verify_peer" setting. Encrypted transfers delegate
to
operating system certificate stores by default if not overridden via the
new openssl.cafile and openssl.cafile ini directives or via call-time SSL
context options, so most users should be unaffected by this transparent
security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
- Mcrypt:
The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
required if the used block cipher mode requires it.
-- Ondřej Surý <ondrej(a)debian.org> Mon, 23 Jun 2014 14:09:53 +0200
php5 (5.5.0~rc1+dfsg-1) experimental; urgency=low
* Starting from this version, the JSON module is no longer compiled in
due to licensing problems, and you need to install the JSON extension
as external php5-json package that is using json-c library.
-- Ondřej Surý <ondrej(a)debian.org> Fri, 17 May 2013 14:43:04 +0200
php5 (5.5.0~beta4-2) experimental; urgency=low
* short_open_tag configuration option now defaults to Off. This means
that your PHP applications have to use '<?php' instead of just
'<?'.
Please check and fix your applications (this is preferred solution) or
you can re-enable short_open_tag in /etc/php5/<sapi>/php.ini again.
-- Ondřej Surý <ondrej(a)debian.org> Sun, 05 May 2013 23:37:54 +0200
screen (4.1.0~20120320gitdb59704-10) unstable; urgency=medium
On systems running systemd, the management of /var/run/screen previously
handled by /etc/init.d/screen-cleanup now occurs via systemd-tmpfiles and
/usr/lib/tmpfiles.d/screen-cleanup.conf. The installed version of that
file works for systems with the default screen permissions; if you override
the permissions of /usr/bin/screen with dpkg-statoverride as documented in
/usr/share/doc/screen/README.Debian, you should create an overriding file
/etc/tmpfiles.d/screen-cleanup.conf setting the corresponding permissions.
See /usr/share/doc/screen/README.Debian for details.
If you have already overridden the permissions of /usr/bin/screen, an
/etc/tmpfiles.d/screen-cleanup.conf has been created for you.
-- Axel Beckert <abe(a)debian.org> Fri, 28 Feb 2014 12:23:42 +0100
coreutils (8.23-1) unstable; urgency=low
GNU coreutils package now includes the `realpath' command that used to
be found in a separate `realpath' package.
Even though the GNU version provides all the features of the old Debian
version, the behaviour is a bit different, namely:
* GNU `realpath' and `realpath -s' commands require all but the
last path components to exist
whereas:
* Debian version of `realpath' required all the path components to exist;
* Debian version of `realpath -s' required no path components to exist.
To get the old behaviour in GNU `realpath' an additional option needs
to be used:
Old Debian realpath New GNU coreutils realpath
----------------------- ----------------------------
realpath file(s) => realpath -e file(s)
realpath -s file(s) => realpath -s -m file(s)
-- Robert Luberda <robert(a)debian.org> Sun, 31 Aug 2014 16:08:14 +0200
curl (7.32.0-1) unstable; urgency=low
From this version the threaded DNS resolver will be used. This allows for
asynchronous DNS queries and also fixes possible issues related to handling
time outs of DNS lookups.
The threaded resolver was chosen instead of the event-based one (which uses
the c-ares library) because c-ares currently lacks somewhat important
features, such as support for the Name Service Switch system.
-- Alessandro Ghedini <ghedo(a)debian.org> Mon, 12 Aug 2013 11:08:09 +0200
curl (7.28.1-1) experimental; urgency=low
From this version the CURLOPT_SSL_VERIFYHOST option will stop accepting "1"
as a valid value. From the documentation:
When the value is 1, libcurl will return a failure. It
was previously (in
7.28.0 and earlier) a debug option of some sorts, but it is no longer
supported due to frequently leading to programmer mistakes.
-- Alessandro Ghedini <ghedo(a)debian.org> Mon, 26 Nov 2012 17:46:27 +0100
duplicity (0.6.20-3) unstable; urgency=low
Duplicity and locales
This version of duplicity completely ignores your locale settings
and uses POSIX instead, because under some locales (e.g. fr_FR.utf8)
the logger causes duplicity to crash (see bug #682837).
-- Alexander Zangerl <az(a)debian.org> Tue, 05 Mar 2013 12:43:16 +1000
duplicity (0.6.18-4) unstable; urgency=low
Reworked Ubuntu One backend
This version includes a reworked standalone backend for Ubuntu One,
which no longer requires Gnome, an X11 session or software that's not
packaged for Debian. The backend requires the python-oauth and -httplib2
packages and duplicity therefore now recommends them.
Check the man page for details about Ubuntu One authentication.
-- Alexander Zangerl <az(a)debian.org> Thu, 18 Oct 2012 13:07:36 +1000
fail2ban (0.8.11-1) unstable; urgency=low
* retroactive for 0.8.9: by default iptables-* actions do not simply
DROP packets from offending IP but rather reject with
icmp-port-unreachable. If DROP behaviour is preferable, provide
config/action.d/iptables-blocktype.local with [Init] section defining
blocktype = DROP or override action definition to provide
blocktype=DROP option in jail.local
* Many failregex's were tight-up in this release which could
theoretically effect operation in comparison to previous release(s).
-- Yaroslav Halchenko <debian(a)onerussian.com> Sat, 16 Nov 2013 22:27:50 -0500
git (1:1.8.4~rc0-1) experimental; urgency=low
Starting with this version, gitweb and "git daemon" on Debian are
configured to look for repositories under /var/lib/git by default
instead of /var/cache/git. You may want to adjust your inetd,
rsyncd, and web server configuration to use the new base path.
See /usr/share/doc/git/README.Debian for details.
Symlinks are installed during the upgrade to ensure existing
repositories remain accessible. If no local scripts or
configuration depend on /var/cache/git then it is safe to remove
the old directory after replacing these symlinks with their
targets:
mv --backup /var/cache/git/* /var/lib/git/
rmdir /var/cache/git
rm /var/lib/git/*~
-- Jonathan Nieder <jrnieder(a)gmail.com> Sun, 28 Jul 2013 17:46:05 -0700
git (1:1.8.2~rc0-1) experimental; urgency=low
The default behavior of "git push" when run without specifying any
ref names will change in the upcoming Git 2.0 release.
The previous default behavior was to use "matching" semantics: push
all branches for which there is already a branch of the same name on
the remote end. The new default is "simple" semantics: push the
current branch to a branch of the same name, provided that "git
pull" is configured to integrate with that branch. You can get a
glimpse of the future with
echo '[push] default = simple' >>~/.gitconfig
See Documentation/RelNotes/1.8.2.txt and the entry on push.default
in git-config(1) for details.
-- Jonathan Nieder <jrnieder(a)gmail.com> Mon, 18 Feb 2013 16:48:53 -0800
git (1:1.8.0-1) experimental; urgency=low
Git's bash completion script is now loaded on the fly when tab
completion is attempted for the 'git' or 'gitk' command. This
change involved moving the completion script. If your ~/.bashrc
previously contained
. /etc/bash_completion.d/git
then it should be corrected to
if [ -e /usr/share/bash-completion/completions/git ]; then
. /usr/share/bash-completion/completions/git
elif [ -e /etc/bash_completion.d/git ]; then
. /etc/bash_completion.d/git
fi
or, better,
. /etc/bash_completion
See /usr/share/doc/bash-completion/README.Debian for details.
-- Jonathan Nieder <jrnieder(a)gmail.com> Sun, 13 Jan 2013 08:59:42 -0800
libio-socket-ssl-perl (1.961-1) unstable; urgency=low
Upstream version 1.956 introduced the following major behaviour changes:
* BEHAVIOR CHANGE: make default cipher list more secure, especially
- no longer support MD5 by default (broken)
- no longer support anonymous authentication by default (vulnerable to man in
the middle attacks)
- prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
it uses by default forward secrecy, if underlying Net::SSLeay/openssl
supports it
- move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
been fixed and now RC4 is considered less safe than 3DES)
- default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
get the best cipher even if client preferes other ciphers
PLEASE NOTE that this might break connections with older, less secure
implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
* BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
thus gets reused if context gets reused. PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
ciphers of the context.
* rework hostname verification schemes
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
* BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
'www2'..
but not 'www'
-- Salvatore Bonaccorso <carnil(a)debian.org> Wed, 27 Nov 2013 15:34:34 +0100
libio-socket-ssl-perl (1.951-1) experimental; urgency=low
Upstream version 1.951 introduced the following two major behaviour changes:
* ssl_verify_mode now defaults to verify_peer for client.
Until now it used verify_none, but loudly complained since 1.79 about it.
It will not complain any longer, but the connection might probably fail.
Please don't simply disable ssl verification, but instead set SSL_ca_file
etc so that verification succeeds!
* it will now complain if the builtin defaults of certs/my-ca.pem or ca/
for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
e.g. no certificates are specified explicitly.
In the future these insecure (relative path!) defaults will be removed
and the CA replaced with the system defaults.
-- Salvatore Bonaccorso <carnil(a)debian.org> Sun, 07 Jul 2013 22:33:29 +0200
libio-socket-ssl-perl (1.88-1) unstable; urgency=low
Upstream version 1.79 introduced the following change: IO::Socket::SSL will
complain if SSL_verify_mode is SSL_VERIFY_NONE for client unless it was
explicity set this way. In the future the default will change to verify the
server certificate and apps, which don't provide the necessary credentials
should fail.
The module will carp with:
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
-- Salvatore Bonaccorso <carnil(a)debian.org> Mon, 13 May 2013 21:58:44 +0200
libnet-ldap-perl (1:0.5700-1) unstable; urgency=low
COMPATIBILITY WARNING:
The bug fix "LDAP.pm: new parameter bind(sasl_host => SASLHOST)"
is an incompatible change that may break some corner-case configurations
* that use SASL for authentication and
* where the SASL host name differs from the host name connecting to.
The incompatible change was necessary as it was not possible to fix
the issue which was introduced in perl-ldap 0.37 in a compatible way.
See Net::LDAP's manual page for the details on "sasl_host".
-- gregor herrmann <gregoa(a)debian.org> Fri, 26 Jul 2013 18:12:35 +0200
make-dfsg (4.0-1) experimental; urgency=low
WARNING: Backward-incompatibility!
If .POSIX is specified, then make adheres to the POSIX backslash/newline
handling requirements, which introduces the following changes to the
standard backslash/newline handling in non-recipe lines:
* Any trailing space before the backslash is preserved
* Each backslash/newline (plus subsequent whitespace) is converted to a
single space
-- Manoj Srivastava <srivasta(a)debian.org> Sat, 12 Apr 2014 23:56:34 -0700
make-dfsg (3.82-1) experimental; urgency=low
* New upstream release. A complete list of bugs fixed in this version is
available here:
http://sv.gnu.org/bugs/index.php?group=make&report_id=111&fix_relea…
* WARNING: Future backward-incompatibility!
Wildcards are not documented as returning sorted values, but up to and
including this release the results have been sorted and some makefiles
are apparently depending on that. In the next release of GNU make,
for performance reasons, we may remove that sorting. If your
makefiles require sorted results from wildcard expansions, use the
$(sort ...) function to request it explicitly.
* WARNING: Backward-incompatibility!
The POSIX standard for make was changed in the 2008 version in a
fundamentally incompatible way: make is required to invoke the shell
as if the '-e' flag were provided. Because this would break many
makefiles that have been written to conform to the original text of
the standard, the default behavior of GNU make remains to invoke the
shell with simply '-c'. However, any makefile specifying the .POSIX
special target will follow the new POSIX standard and pass '-e' to the
shell. See also .SHELLFLAGS below.
* WARNING: Backward-incompatibility!
The '$?' variable now contains all prerequisites that caused the
target to be considered out of date, even if they do not exist
(previously only existing targets were provided in $?).
* WARNING: Backward-incompatibility!
As a result of parser enhancements, three backward-compatibility
issues exist: first, a prerequisite containing an "=" cannot be
escaped with a backslash any longer. You must create a variable
containing an "=" and use that variable in the prerequisite. Second,
variable names can no longer contain whitespace, unless you put the
whitespace in a variable and use the variable. Third, in previous
versions of make it was sometimes not flagged as an error for explicit
and pattern targets to appear in the same rule. Now this is always
reported as an error.
* WARNING: Backward-incompatibility!
The pattern-specific variables and pattern rules are now applied in
the shortest stem first order instead of the definition order
(variables and rules with the same stem length are still applied in
the definition order). This produces the usually-desired behavior
where more specific patterns are preferred. To detect this feature
search for 'shortest-stem' in the .FEATURES special variable.
* WARNING: Backward-incompatibility!
The library search behavior has changed to be compatible with the
standard linker behavior. Prior to this version for prerequisites
specified using the -lfoo syntax make first searched for libfoo.so in
the current directory, vpath directories, and system directories. If
that didn't yield a match, make then searched for libfoo.a in these
directories. Starting with this version make searches first for
libfoo.so and then for libfoo.a in each of these directories in order.
-- Manoj Srivastava <srivasta(a)debian.org> Mon, 18 Jul 2011 00:38:04 -0700
monit (1:5.5-2) unstable; urgency=low
Support of the "startup" option in /etc/default/monit and
setting initial delay with /etc/monit/monit_delay has been removed.
Please, use START option to enable/disable monit startup during boot.
-- Sergey B Kirpichev <skirpichev(a)gmail.com> Sun, 09 Dec 2012 15:37:35 +0400
nss-pam-ldapd (0.9.0-1) experimental; urgency=low
The 0.9 release changes the communication protocol used between the NSS
and PAM modules on one end and the nslcd process on the other end.
This means that after the upgrade, if the new nslcd is running, processes
that have the old NSS or PAM module already loaded will be unable to
perform queries.
For example, if a screensaver that was running before the upgrade has
locked the screen during the upgrade, the user will no longer be able to
unlock the screen.
-- Arthur de Jong <adejong(a)debian.org> Sat, 06 Apr 2013 15:00:00 +0200
python-keyring (1.4-1) unstable; urgency=low
This version no longer supports the conversion of pre-0.9 Crypto-based
keyring files. The version in wheezy (0.7.1-1+deb7u1) automatically converts
these files when you use it, so if you were using python-keyring in wheezy,
you are not affected.
Otherwise, if you used the Crypto backend, you should convert these files
manually using /usr/share/python-keyring/convert-crypto-keyring script from
the python-keyring package.
-- Dmitry Shachnev <mitya57(a)gmail.com> Sat, 22 Jun 2013 11:03:11 +0400
tmux (1.9-1) experimental; urgency=low
The server protocol version was changed from 7 to 8, we recommend that
you close any open tmux sessions before proceeding with the upgrade.
-- Romain Francoise <rfrancoise(a)debian.org> Sat, 22 Feb 2014 17:42:35 +0100
tmux (1.7~svn2819-1) experimental; urgency=low
The server protocol version was changed from 6 to 7, we recommend that
you close any open tmux sessions before proceeding with the upgrade.
-- Romain Francoise <rfrancoise(a)debian.org> Wed, 30 May 2012 19:52:56 +0200
util-linux (2.24.2-1) experimental; urgency=low
The support for encryption in losetup has been dropped.
(And the patch for supporting hashed passphrases in debian with it.)
The recommendation is to use cryptsetup instead.
-- Andreas Henriksson <andreas(a)fatal.se> Mon, 16 Jun 2014 18:00:16 +0200
zsh (5.0.0-1) unstable; urgency=low
This update includes a rewrite of keyboard handling in `/etc/zsh/zshrc'.
The used method should be quite a bit more robust than the old one, and
should work out of the box for every terminal with a working terminfo entry.
If you do not want Debian's zshrc to mess with your keyboard setup, set the
following variable in your `.zshenv' file:
DEBIAN_PREVENT_KEYBOARD_CHANGES=yes
This change also removes the controversial vi-* bindings for the up and down
cursor keys (which was reported as #383737 and led to confusion with a
substantial number of users). If you want them back use the following snippet
in your `.zshrc' file (and without the above variable set):
for i in viins vicmd; do
bindkey -M "$i" "${key[Up]}" vi-up-line-or-history
bindkey -M "$i" "${key[Down]}" vi-down-line-or-history
done
unset i
-- Frank Terbeck <ft(a)bewatermyfriend.org> Sat, 03 Mar 2012 21:28:54 +0100