3 Jul
2015
3 Jul
'15
19:35
linux-latest (47) unstable; urgency=medium
* The kernel image is now compressed using xz compression. If you are
running it under a virtualisation system such as Xen, that will
decompress the kernel itself, then you will need to ensure that the
system is up to date and includes support for such kernels.
The Xen system included in Debian 7 'wheezy' does support this.
See https://wiki.debian.org/Xen#Error_.22unknown_compression_format.22
for more information.
-- Ben Hutchings <ben(a)decadent.org.uk> Thu, 14 Aug 2014 02:20:57 +0100
openssh (1:6.7-5) unstable; urgency=medium
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
a number of specific LC_FOO variables rather than the wildcard LC_*. I
have since been persuaded that this was a bad idea and have reverted it,
but it is difficult to automatically undo the change to
/etc/ssh/sshd_config without compounding the problem (that of modifying
configuration that some users did not want to be modified) further. Most
users who upgraded via version 1:6.7p1-4 should restore the previous value
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
-- Colin Watson <cjwatson(a)debian.org> Sun, 22 Mar 2015 23:09:32 +0000
php5 (5.6.0~rc3+dfsg-2) unstable; urgency=medium
* The default session.save_path has been changed from /var/lib/php5
to /var/lib/php5/sessions.
-- Ondřej Surý <ondrej(a)debian.org> Thu, 14 Aug 2014 10:20:59 +0200
php5 (5.6.0~beta4+dfsg-2) unstable; urgency=medium
* Full upstream upgrade notes are available at:
/usr/share/doc/php5-common/UPGRADING.gz
* The backwards incompatible changes introduced in PHP 5.6:
- Core:
By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
arrays. Quick example to illustrate:
class Test {
const FIRST = 1;
public $array = array(
self::FIRST => 'first',
'second',
'third'
);
}
Test::$array will have as expected three array keys (1, 2, 3) and no longer
two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
but will mark the beginning of indexing.
- JSON:
json_decode() no longer accepts non-lowercase variants of lone JSON true,
false or null values. For example, True or FALSE will now cause json_decode to
return NULL and set an error value you can fetch with json_last_error().
This affects JSON texts consisting solely of true, false or null. Text
containing non-lowercase values inside JSON arrays or objects has never been
accepted.
- OpenSSL:
To prevent man-in-the-middle attacks against encrypted transfers client
streams now verify peer certificates by default. Previous versions
required users to manually enable peer verification. As a result of this
change, existing code using ssl:// or tls:// stream wrappers (e.g.
file_get_contents(), fsockopen(), stream_socket_client()) may no longer
connect successfully without manually disabling peer verification via the
stream context's "verify_peer" setting. Encrypted transfers delegate
to
operating system certificate stores by default if not overridden via the
new openssl.cafile and openssl.cafile ini directives or via call-time SSL
context options, so most users should be unaffected by this transparent
security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
- Mcrypt:
The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
required if the used block cipher mode requires it.
-- Ondřej Surý <ondrej(a)debian.org> Mon, 23 Jun 2014 14:09:53 +0200
php5 (5.5.0~rc1+dfsg-1) experimental; urgency=low
* Starting from this version, the JSON module is no longer compiled in
due to licensing problems, and you need to install the JSON extension
as external php5-json package that is using json-c library.
-- Ondřej Surý <ondrej(a)debian.org> Fri, 17 May 2013 14:43:04 +0200
php5 (5.5.0~beta4-2) experimental; urgency=low
* short_open_tag configuration option now defaults to Off. This means
that your PHP applications have to use '<?php' instead of just
'<?'.
Please check and fix your applications (this is preferred solution) or
you can re-enable short_open_tag in /etc/php5/<sapi>/php.ini again.
-- Ondřej Surý <ondrej(a)debian.org> Sun, 05 May 2013 23:37:54 +0200
screen (4.1.0~20120320gitdb59704-10) unstable; urgency=medium
On systems running systemd, the management of /var/run/screen previously
handled by /etc/init.d/screen-cleanup now occurs via systemd-tmpfiles and
/usr/lib/tmpfiles.d/screen-cleanup.conf. The installed version of that
file works for systems with the default screen permissions; if you override
the permissions of /usr/bin/screen with dpkg-statoverride as documented in
/usr/share/doc/screen/README.Debian, you should create an overriding file
/etc/tmpfiles.d/screen-cleanup.conf setting the corresponding permissions.
See /usr/share/doc/screen/README.Debian for details.
If you have already overridden the permissions of /usr/bin/screen, an
/etc/tmpfiles.d/screen-cleanup.conf has been created for you.
-- Axel Beckert <abe(a)debian.org> Fri, 28 Feb 2014 12:23:42 +0100
apache2 (2.4.10-2) unstable; urgency=low
The default period for which rotated log files are kept has been
reduced from one year to 14 days.
-- Stefan Fritsch <sf(a)debian.org> Tue, 23 Sep 2014 22:25:06 +0200
apache2 (2.4.1-1) unstable; urgency=low
This package introduces a new major release of the Apache HTTP server. It is
likely the site configuration needs changes to work with this release.
Notable changes which need special care are:
The module interface (ABI) has changed. If you have any locally compiled
modules, you have to re-compile them for apache2 2.4.
The authorization and authentication system has changed. Existing
configurations using deprecated Order/Allow/Deny directives need to be
upgraded to the new system. Please review upstream's "Authentication,
Authorization and Access Control Howto" [1]. There is a new module
"mod_access_compat", which is supposed to provide backward compatibility,
but it does not work well in practice.
Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
at any time by (un-)loading a specific module. Be careful when upgrading. An
example of changing the MPM is given below:
a2dismod mpm_worker
a2enmod mpm_prefork
MPM ITK users should be advised, that ITK is not a MPM anymore. Instead, it
is a simple Apache module, expanding functionality of the prefork MPM. Thus,
users should switch to the prefork MPM and enable ITK as a module. The
upgrade scripts ensure this for the upgrade from Debian Wheezy.
We did change the security model for Apache in our default configuration. We
do not allow access to the file system outside /var/www and /usr/share.
If you are running virtual hosts or scripts outside these directories, you
need to whitelist them in your configuration to grant access through HTTP.
Special care must be taken if you are using a sub-directory in /srv to serve
your content as recommended by the File Hierarchy Standard (FHS). You must
allow access to your served directory explicity in the corresponding virtual
host, or by allowing access in apache2.conf as proposed.
Along the security model, we did also change the default Document Root, files
are served from. Previous releases served /var/www by default when no other
virtual host matched the request. Starting with this release, we changed the
default document root to /var/www/html, so that sensitive files from other
virtual hosts wich are typically put into some directory below /var/www are
not exposed by the default virtual host. This change further improves the out
of box security.
Moreover, the configuration mechanism in Debian has changed. All
configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
not supported any more) and works just like {sites,mods}-{available,enabled}
via the "a2enconf" tool. The upgrade tries to migrate known configuration
files from /etc/apache2/conf.d/ to /etc/apache2/conf-available/ - please
review these changes.
Note this means all existing sites are ignored until they get a ".conf"
suffix and are re-enabled by the use of a2ensite. The script in [3] can
automate that for simple cases. This change also includes Debian default
sites, so the default site has been renamed to 000-default to avoid naming
confusions. The rename of the config files to *.conf makes the special
handling inside apache2 to ignore *.dpkg-* backup files obsolete. This
special handling has been removed.
Users of mod_authn_dbm should switch to htdbm to manage their DBM user
databases. The pure-perl management utility "dbmmanage" was removed as it was
outdated and orphaned upstream.
Packagers are advised to review whether their packages comply with this
new version. Please see [2] for detailed documentation and instructions.
[1] http://httpd.apache.org/docs/2.4/howto/auth.html
[2] </usr/share/doc/apache2/PACKAGING>
[3] </usr/share/doc/apache2/migrate-sites.pl>
-- Arno Töll <arno(a)debian.org> Fri, 23 July 2012 23:50:13 +0200
coreutils (8.23-1) unstable; urgency=low
GNU coreutils package now includes the `realpath' command that used to
be found in a separate `realpath' package.
Even though the GNU version provides all the features of the old Debian
version, the behaviour is a bit different, namely:
* GNU `realpath' and `realpath -s' commands require all but the
last path components to exist
whereas:
* Debian version of `realpath' required all the path components to exist;
* Debian version of `realpath -s' required no path components to exist.
To get the old behaviour in GNU `realpath' an additional option needs
to be used:
Old Debian realpath New GNU coreutils realpath
----------------------- ----------------------------
realpath file(s) => realpath -e file(s)
realpath -s file(s) => realpath -s -m file(s)
-- Robert Luberda <robert(a)debian.org> Sun, 31 Aug 2014 16:08:14 +0200
curl (7.32.0-1) unstable; urgency=low
From this version the threaded DNS resolver will be used. This allows for
asynchronous DNS queries and also fixes possible issues related to handling
time outs of DNS lookups.
The threaded resolver was chosen instead of the event-based one (which uses
the c-ares library) because c-ares currently lacks somewhat important
features, such as support for the Name Service Switch system.
-- Alessandro Ghedini <ghedo(a)debian.org> Mon, 12 Aug 2013 11:08:09 +0200
curl (7.28.1-1) experimental; urgency=low
From this version the CURLOPT_SSL_VERIFYHOST option will stop accepting "1"
as a valid value. From the documentation:
When the value is 1, libcurl will return a failure. It
was previously (in
7.28.0 and earlier) a debug option of some sorts, but it is no longer
supported due to frequently leading to programmer mistakes.
-- Alessandro Ghedini <ghedo(a)debian.org> Mon, 26 Nov 2012 17:46:27 +0100
duplicity (0.6.20-3) unstable; urgency=low
Duplicity and locales
This version of duplicity completely ignores your locale settings
and uses POSIX instead, because under some locales (e.g. fr_FR.utf8)
the logger causes duplicity to crash (see bug #682837).
-- Alexander Zangerl <az(a)debian.org> Tue, 05 Mar 2013 12:43:16 +1000
duplicity (0.6.18-4) unstable; urgency=low
Reworked Ubuntu One backend
This version includes a reworked standalone backend for Ubuntu One,
which no longer requires Gnome, an X11 session or software that's not
packaged for Debian. The backend requires the python-oauth and -httplib2
packages and duplicity therefore now recommends them.
Check the man page for details about Ubuntu One authentication.
-- Alexander Zangerl <az(a)debian.org> Thu, 18 Oct 2012 13:07:36 +1000
fail2ban (0.8.11-1) unstable; urgency=low
* retroactive for 0.8.9: by default iptables-* actions do not simply
DROP packets from offending IP but rather reject with
icmp-port-unreachable. If DROP behaviour is preferable, provide
config/action.d/iptables-blocktype.local with [Init] section defining
blocktype = DROP or override action definition to provide
blocktype=DROP option in jail.local
* Many failregex's were tight-up in this release which could
theoretically effect operation in comparison to previous release(s).
-- Yaroslav Halchenko <debian(a)onerussian.com> Sat, 16 Nov 2013 22:27:50 -0500
git (1:1.8.4~rc0-1) experimental; urgency=low
Starting with this version, gitweb and "git daemon" on Debian are
configured to look for repositories under /var/lib/git by default
instead of /var/cache/git. You may want to adjust your inetd,
rsyncd, and web server configuration to use the new base path.
See /usr/share/doc/git/README.Debian for details.
Symlinks are installed during the upgrade to ensure existing
repositories remain accessible. If no local scripts or
configuration depend on /var/cache/git then it is safe to remove
the old directory after replacing these symlinks with their
targets:
mv --backup /var/cache/git/* /var/lib/git/
rmdir /var/cache/git
rm /var/lib/git/*~
-- Jonathan Nieder <jrnieder(a)gmail.com> Sun, 28 Jul 2013 17:46:05 -0700
git (1:1.8.2~rc0-1) experimental; urgency=low
The default behavior of "git push" when run without specifying any
ref names will change in the upcoming Git 2.0 release.
The previous default behavior was to use "matching" semantics: push
all branches for which there is already a branch of the same name on
the remote end. The new default is "simple" semantics: push the
current branch to a branch of the same name, provided that "git
pull" is configured to integrate with that branch. You can get a
glimpse of the future with
echo '[push] default = simple' >>~/.gitconfig
See Documentation/RelNotes/1.8.2.txt and the entry on push.default
in git-config(1) for details.
-- Jonathan Nieder <jrnieder(a)gmail.com> Mon, 18 Feb 2013 16:48:53 -0800
git (1:1.8.0-1) experimental; urgency=low
Git's bash completion script is now loaded on the fly when tab
completion is attempted for the 'git' or 'gitk' command. This
change involved moving the completion script. If your ~/.bashrc
previously contained
. /etc/bash_completion.d/git
then it should be corrected to
if [ -e /usr/share/bash-completion/completions/git ]; then
. /usr/share/bash-completion/completions/git
elif [ -e /etc/bash_completion.d/git ]; then
. /etc/bash_completion.d/git
fi
or, better,
. /etc/bash_completion
See /usr/share/doc/bash-completion/README.Debian for details.
-- Jonathan Nieder <jrnieder(a)gmail.com> Sun, 13 Jan 2013 08:59:42 -0800
libio-socket-ssl-perl (1.961-1) unstable; urgency=low
Upstream version 1.956 introduced the following major behaviour changes:
* BEHAVIOR CHANGE: make default cipher list more secure, especially
- no longer support MD5 by default (broken)
- no longer support anonymous authentication by default (vulnerable to man in
the middle attacks)
- prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
it uses by default forward secrecy, if underlying Net::SSLeay/openssl
supports it
- move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
been fixed and now RC4 is considered less safe than 3DES)
- default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
get the best cipher even if client preferes other ciphers
PLEASE NOTE that this might break connections with older, less secure
implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
* BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
thus gets reused if context gets reused. PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
ciphers of the context.
* rework hostname verification schemes
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
* BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
'www2'..
but not 'www'
-- Salvatore Bonaccorso <carnil(a)debian.org> Wed, 27 Nov 2013 15:34:34 +0100
libio-socket-ssl-perl (1.951-1) experimental; urgency=low
Upstream version 1.951 introduced the following two major behaviour changes:
* ssl_verify_mode now defaults to verify_peer for client.
Until now it used verify_none, but loudly complained since 1.79 about it.
It will not complain any longer, but the connection might probably fail.
Please don't simply disable ssl verification, but instead set SSL_ca_file
etc so that verification succeeds!
* it will now complain if the builtin defaults of certs/my-ca.pem or ca/
for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
e.g. no certificates are specified explicitly.
In the future these insecure (relative path!) defaults will be removed
and the CA replaced with the system defaults.
-- Salvatore Bonaccorso <carnil(a)debian.org> Sun, 07 Jul 2013 22:33:29 +0200
libio-socket-ssl-perl (1.88-1) unstable; urgency=low
Upstream version 1.79 introduced the following change: IO::Socket::SSL will
complain if SSL_verify_mode is SSL_VERIFY_NONE for client unless it was
explicity set this way. In the future the default will change to verify the
server certificate and apps, which don't provide the necessary credentials
should fail.
The module will carp with:
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
-- Salvatore Bonaccorso <carnil(a)debian.org> Mon, 13 May 2013 21:58:44 +0200
libnet-ldap-perl (1:0.5700-1) unstable; urgency=low
COMPATIBILITY WARNING:
The bug fix "LDAP.pm: new parameter bind(sasl_host => SASLHOST)"
is an incompatible change that may break some corner-case configurations
* that use SASL for authentication and
* where the SASL host name differs from the host name connecting to.
The incompatible change was necessary as it was not possible to fix
the issue which was introduced in perl-ldap 0.37 in a compatible way.
See Net::LDAP's manual page for the details on "sasl_host".
-- gregor herrmann <gregoa(a)debian.org> Fri, 26 Jul 2013 18:12:35 +0200
mailman (1:2.1.16-1exp1) experimental; urgency=low
This version has changed the encoding of most strings, templates
and pages to UTF-8 to meet the Debian release goal of full UTF-8
support in all packages. It also no longer automatically converts
mails to ISO-8859-1.
If you have been using any nōn-ASCII strings in places such as
the mailing list description, these were be stored wrongly in the
list configuration file (config.pck), so you will need to change
those (e.g. via the webinterface) again in order to have them be
displayed correctly.
-- Thorsten Glaser <tg(a)mirbsd.de> Sun, 29 Dec 2013 14:35:50 +0000
make-dfsg (4.0-1) experimental; urgency=low
WARNING: Backward-incompatibility!
If .POSIX is specified, then make adheres to the POSIX backslash/newline
handling requirements, which introduces the following changes to the
standard backslash/newline handling in non-recipe lines:
* Any trailing space before the backslash is preserved
* Each backslash/newline (plus subsequent whitespace) is converted to a
single space
-- Manoj Srivastava <srivasta(a)debian.org> Sat, 12 Apr 2014 23:56:34 -0700
make-dfsg (3.82-1) experimental; urgency=low
* New upstream release. A complete list of bugs fixed in this version is
available here:
http://sv.gnu.org/bugs/index.php?group=make&report_id=111&fix_relea…
* WARNING: Future backward-incompatibility!
Wildcards are not documented as returning sorted values, but up to and
including this release the results have been sorted and some makefiles
are apparently depending on that. In the next release of GNU make,
for performance reasons, we may remove that sorting. If your
makefiles require sorted results from wildcard expansions, use the
$(sort ...) function to request it explicitly.
* WARNING: Backward-incompatibility!
The POSIX standard for make was changed in the 2008 version in a
fundamentally incompatible way: make is required to invoke the shell
as if the '-e' flag were provided. Because this would break many
makefiles that have been written to conform to the original text of
the standard, the default behavior of GNU make remains to invoke the
shell with simply '-c'. However, any makefile specifying the .POSIX
special target will follow the new POSIX standard and pass '-e' to the
shell. See also .SHELLFLAGS below.
* WARNING: Backward-incompatibility!
The '$?' variable now contains all prerequisites that caused the
target to be considered out of date, even if they do not exist
(previously only existing targets were provided in $?).
* WARNING: Backward-incompatibility!
As a result of parser enhancements, three backward-compatibility
issues exist: first, a prerequisite containing an "=" cannot be
escaped with a backslash any longer. You must create a variable
containing an "=" and use that variable in the prerequisite. Second,
variable names can no longer contain whitespace, unless you put the
whitespace in a variable and use the variable. Third, in previous
versions of make it was sometimes not flagged as an error for explicit
and pattern targets to appear in the same rule. Now this is always
reported as an error.
* WARNING: Backward-incompatibility!
The pattern-specific variables and pattern rules are now applied in
the shortest stem first order instead of the definition order
(variables and rules with the same stem length are still applied in
the definition order). This produces the usually-desired behavior
where more specific patterns are preferred. To detect this feature
search for 'shortest-stem' in the .FEATURES special variable.
* WARNING: Backward-incompatibility!
The library search behavior has changed to be compatible with the
standard linker behavior. Prior to this version for prerequisites
specified using the -lfoo syntax make first searched for libfoo.so in
the current directory, vpath directories, and system directories. If
that didn't yield a match, make then searched for libfoo.a in these
directories. Starting with this version make searches first for
libfoo.so and then for libfoo.a in each of these directories in order.
-- Manoj Srivastava <srivasta(a)debian.org> Mon, 18 Jul 2011 00:38:04 -0700
mutt (1.5.22-1) unstable; urgency=low
The sidebar-dotted patch was replaced by the sidebar-dotpathsep patch from
Gentoo. This new version drops the "sidebar_shortpath" option from the
configuration. You can configure the behaviour with the
"sidebar_delim_chars" option now.
-- Christoph Berg <christoph.berg(a)credativ.de> Wed, 05 Mar 2014 13:51:33 +0100
nss-pam-ldapd (0.9.0-1) experimental; urgency=low
The 0.9 release changes the communication protocol used between the NSS
and PAM modules on one end and the nslcd process on the other end.
This means that after the upgrade, if the new nslcd is running, processes
that have the old NSS or PAM module already loaded will be unable to
perform queries.
For example, if a screensaver that was running before the upgrade has
locked the screen during the upgrade, the user will no longer be able to
unlock the screen.
-- Arthur de Jong <adejong(a)debian.org> Sat, 06 Apr 2013 15:00:00 +0200
tmux (1.9-1) experimental; urgency=low
The server protocol version was changed from 7 to 8, we recommend that
you close any open tmux sessions before proceeding with the upgrade.
-- Romain Francoise <rfrancoise(a)debian.org> Sat, 22 Feb 2014 17:42:35 +0100
tmux (1.7~svn2819-1) experimental; urgency=low
The server protocol version was changed from 6 to 7, we recommend that
you close any open tmux sessions before proceeding with the upgrade.
-- Romain Francoise <rfrancoise(a)debian.org> Wed, 30 May 2012 19:52:56 +0200
util-linux (2.24.2-1) experimental; urgency=low
The support for encryption in losetup has been dropped.
(And the patch for supporting hashed passphrases in debian with it.)
The recommendation is to use cryptsetup instead.
-- Andreas Henriksson <andreas(a)fatal.se> Mon, 16 Jun 2014 18:00:16 +0200
zsh (5.0.0-1) unstable; urgency=low
This update includes a rewrite of keyboard handling in `/etc/zsh/zshrc'.
The used method should be quite a bit more robust than the old one, and
should work out of the box for every terminal with a working terminfo entry.
If you do not want Debian's zshrc to mess with your keyboard setup, set the
following variable in your `.zshenv' file:
DEBIAN_PREVENT_KEYBOARD_CHANGES=yes
This change also removes the controversial vi-* bindings for the up and down
cursor keys (which was reported as #383737 and led to confusion with a
substantial number of users). If you want them back use the following snippet
in your `.zshrc' file (and without the above variable set):
for i in viins vicmd; do
bindkey -M "$i" "${key[Up]}" vi-up-line-or-history
bindkey -M "$i" "${key[Down]}" vi-down-line-or-history
done
unset i
-- Frank Terbeck <ft(a)bewatermyfriend.org> Sat, 03 Mar 2012 21:28:54 +0100