apt (1.8.0~alpha3) unstable; urgency=medium The PATH for running dpkg is now configured by the option DPkg::Path, and defaults to "/usr/sbin:/usr/bin:/sbin:/bin". Previous behavior of not changing PATH may be restored by setting the option to an empty string. Support for /etc/apt/auth.conf.d/ has been added, see apt_auth.conf(5). -- Julian Andres Klode &lt;jak(a)debian.org&gt; Tue, 18 Dec 2018 15:02:11 +0100 apt (1.6~rc1) unstable; urgency=medium Seccomp sandboxing has been turned off by default for now. If it works for you, you are encouraged to re-enable it by setting APT::Sandbox::Seccomp to true. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Fri, 06 Apr 2018 14:14:29 +0200 apt (1.6~beta1) unstable; urgency=medium APT now verifies that the date of Release files is not in the future. By default, it may be 10 seconds in the future to allow for some clock drift. Two new configuration options can be used to tweak the behavior: Acquire::Check-Date Acquire::Max-DateFuture These can be overridden in sources.list entries using the check-date and date-future-max options. Note that disabling check-date also disables checks on valid-until: It is considered to mean that your machine's time is not reliable. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Mon, 26 Feb 2018 13:14:13 +0100 apt (1.6~alpha1) unstable; urgency=medium All methods provided by apt except for cdrom, gpgv, and rsh now use seccomp-BPF sandboxing to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. Three options can be used to configure this further: APT::Sandbox::Seccomp is a boolean to turn it on/off APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow Also, sandboxing is now enabled for the mirror method. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Mon, 23 Oct 2017 01:58:18 +0200 apt (1.5~beta1) unstable; urgency=medium [ New HTTPS method ] The default http method now supports HTTPS itself, including encrypted proxies and connecting to HTTPS sites via HTTPS proxies; and the apt-transport-https package only provides a "curl+https" method now as a fallback, but will be removed shortly. If TLS support is unwanted, it can be disabled overall by setting the option Acquire::AllowTLS to "false". As for backwards compatibility, the options IssuerCert and SslForceVersion are not supported anymore, and any specified certificate files must be in the PEM format (curl might have allowed DER files as well). [ Changes to unauthenticated repositories ] The security exception for apt-get to only raise warnings if it encounters unauthenticated repositories in the "update" command is gone now, so that it will raise errors just like apt and all other apt-based front-ends do since at least apt version 1.3. It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous behaviour of apt-get by setting the option Binary::apt-get::Acquire::AllowInsecureRepositories "true"; See apt-secure(8) manpage for configuration details. [ Release Info Changes ] If values like Origin, Label, and Codename change in a Release file, update fails, or asks a user (if interactive). Various --allow-releaseinfo-change are provided for non-interactive use. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Mon, 03 Jul 2017 15:09:23 +0200 borgbackup (1.1.1-1) unstable; urgency=medium - When upgrading from borg 1.0.x to 1.1.x, please note: - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1. - borg might ask some security-related questions once after upgrading. You can answer them either manually or via environment variable. One known case is if you use unencrypted repositories, then it will ask about a unknown unencrypted repository one time. - your first backup with 1.1.x might be significantly slower (it might completely read, chunk, hash a lot files) - this is due to the --files-cache mode change (and happens every time you change mode). You can avoid the one-time slowdown by using the pre-1.1.0rc4-compatible mode (but that is less safe for detecting changed files than the default). See the --files-cache docs for details. - The deprecated --no-files-cache is not a global/common option any more, but only available for borg create (it is not needed for anything else). Use --files-cache=disabled instead of --no-files-cache. - The nodump flag ("do not backup this file") is not honoured any more by default because this functionality (esp. if it happened by error or unexpected) was rather confusing and unexplainable at first to users. If you want that "do not backup NODUMP-flagged files" behaviour, use: borg create --exclude-nodump ... - A borg server >= 1.1.0rc4 does not support borg clients 1.1.0b3-b5. #3033 - The files cache is now controlled differently and has a new default mode: - the files cache now uses ctime by default for improved file change detection safety. You can still use mtime for more speed and less safety. - --ignore-inode is deprecated (use --files-cache=... without "inode") - --no-files-cache is deprecated (use --files-cache=disabled) - list: corrected mix-up of "isomtime" and "mtime" formats. Previously, "isomtime" was the default but produced a verbose human format, while "mtime" produced a ISO-8601-like format. The behaviours have been swapped (so "mtime" is human, "isomtime" is ISO-like), and the default is now "mtime". "isomtime" is now a real ISO-8601 format ("T" between date and time, not a space). - delete: removed short option for --cache-only - Running "borg init" via a "borg serve --append-only" server will *not* create an append-only repository anymore. Use "borg init --append-only" to initialize an append-only repository. - Repositories in the "repokey" and "repokey-blake2" modes with an empty passphrase are now treated as unencrypted repositories for security checks (e.g. BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK). Previously there would be no prompts nor messages if an unknown repository in one of these modes with an empty passphrase was encountered. This would allow an attacker to swap a repository, if one assumed that the lack of password prompts was due to a set BORG_PASSPHRASE. Since the "trick" does not work if BORG_PASSPHRASE is set, this does generally not affect scripts. - Repositories in the "authenticated" mode are now treated as the unencrypted repositories they are. - The client-side temporary repository cache now holds unencrypted data for better speed. - borg init: removed the short form of --append-only (-a). - borg upgrade: removed the short form of --inplace (-i). - BORG_HOSTNAME_IS_UNIQUE is now on by default. - removed --compression-from feature - recreate: add --recompress flag, unify --always-recompress and --recompress - init: the --encryption argument is mandatory now (there are several choices) - moved "borg migrate-to-repokey" to "borg key migrate-to-repokey". - "borg change-passphrase" is deprecated, use "borg key change-passphrase" instead. - the --exclude-if-present option now supports tagging a folder with any filesystem object type (file, folder, etc), instead of expecting only files as tags, #1999 - the --keep-tag-files option has been deprecated in favor of the new --keep-exclude-tags, to account for the change mentioned above. - use lz4 compression by default, #2179 - borg init: removed the default of "--encryption/-e", #1979 This was done so users do a informed decision about -e mode. - See the upstream changelog for a list of the new features and bug fixes -- Gianfranco Costamagna &lt;locutusofborg(a)debian.org&gt; Thu, 26 Oct 2017 09:01:19 +0200 cups-filters (1.14.0-1) experimental; urgency=medium This release adds the "--enable-auto-setup-driverless" ./configure option. With this option set, cups-browsed creates queues for all discovered IPP network printers on the local network which support driverless printing (IPP Everywhere or Apple AirPrint). -- Didier Raboud &lt;odyx(a)debian.org&gt; Tue, 16 May 2017 20:04:57 +0200 dovecot (1:2.3.2-1) unstable; urgency=medium Upgrading to the 2.3 series may require manual configuration changes. Some settings have been removed, while others have had their defaults changed. Please see /usr/share/doc/dovecot-core/wiki/Upgrading.2.3.txt.gz or the online version at https://wiki2.dovecot.org/Upgrading/2.3 for more information and review your configuration accordingly. -- Apollon Oikonomopoulos &lt;apoikos(a)debian.org&gt; Sat, 24 Mar 2018 00:34:07 +0200 dovecot (1:2.2.31-1) unstable; urgency=medium TLS is now enabled by default, using the ssl-cert-snakeoil certificate provided by the ssl-cert package. Upgrades from older versions will be prompted to accept the new configuration and enable TLS. If you have already configured TLS yourself, you'll most probably want to keep your settings intact. See /usr/share/doc/dovecot-core/README.Debian for more information on the certificate's default location and how to install your own certificates. -- Apollon Oikonomopoulos &lt;apoikos(a)debian.org&gt; Sun, 25 Jun 2017 01:09:28 +0300 fail2ban (0.10.2-1) unstable; urgency=medium This version is a major development leap forward to provide IPv6 support, which also required extensions to the configuration system. That is why it is not unlikely that configuration left from the previous version(s) would either not work or would not work as intended. You are advised to accept new configuration and adjust it for your customizations (if any). See changelog.Debian.gz for more information. -- Yaroslav Halchenko &lt;debian(a)onerussian.com&gt; Sun, 21 Jan 2018 22:25:26 -0500 fish (3.0.0-1) unstable; urgency=medium fish 3 is a major release, which introduces some breaking changes alongside improved functionality. Although most existing scripts will continue to work, they should be reviewed against the list contained in the release notes: /usr/share/doc/fish/changelog.gz -- Mo Zhou &lt;cdluminate(a)gmail.com&gt; Wed, 09 Jan 2019 02:35:17 +0000 fontconfig (2.12.3-0.2) unstable; urgency=medium Starting with version 2.12, fontconfig is using "Slight" (hintslight) as automatic hinting style. This might change the rendering of the fonts. If you want the to restore the old hinting, run "dpkg-reconfigure fontconfig-config" and select "Full" as hinting style. -- Laurent Bigonville &lt;bigon(a)debian.org&gt; Tue, 04 Jul 2017 21:10:57 +0200 gdb (8.2-1) unstable; urgency=medium gdb-python2 package has been removed, starting with GDB 8.2. -- Héctor Orón Martínez &lt;zumbi(a)debian.org&gt; Fri, 23 Nov 2018 22:56:43 +0100 glibc (2.26-5) unstable; urgency=medium Starting with version 2.26-1, the glibc requires a 3.2 or later Linux kernel. If you use an older kernel, please upgrade it *before* installing this glibc version. Failing to do so will end-up with the following failure: Preparing to unpack .../libc6_2.26-5_amd64.deb ... ERROR: This version of the GNU libc requires kernel version 3.2 or later. Please upgrade your kernel before installing glibc. The decision to not support older kernels is a GNU libc upstream decision. Note: This obviously does not apply to non-Linux kernels. -- Aurelien Jarno &lt;aurel32(a)debian.org&gt; Tue, 23 Jan 2018 22:03:12 +0100 gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium In this version we adopt GnuPG's upstream approach of making keyserver access default to self-sigs-only. This defends against receiving flooded OpenPGP certificates. To revert to the previous behavior (not recommended!), add the following directive to ~/.gnupg/gpg.conf: keyserver-options no-self-sigs-only We also adopt keys.openpgp.org as the default keyserver, since it avoids the associated bandwidth waste of fetching third-party certifications that will not be used. To revert to the older SKS keyserver network (not recommended!), add the following directive to ~/.gnupg/dirmngr.conf: keyserver hkps://hkps.pool.sks-keyservers.net Note: we do *not* adopt upstream's choice of import-clean for the keyserver default, since it can lead to data loss, see https://dev.gnupg.org/T4628 for more details. -- Daniel Kahn Gillmor &lt;dkg(a)fifthhorseman.net&gt; Wed, 21 Aug 2019 14:53:47 -0400 gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium The gdomap daemon has been inadvertently enabled in 1.25.1-1 while implementing a new Debian Policy requirement (§9.3.3.1). This version forcefully disables it again. If you want the daemon running, run "update-rc.d gdomap enable" to enable it. -- Yavor Doganov &lt;yavor(a)gnu.org&gt; Sun, 22 Sep 2019 12:32:33 +0300 gnustep-base (1.25.0-1) experimental; urgency=medium The example programs using the GNUstep Base library have been moved to the gnustep-base-doc package. The gnustep-base-examples package has been removed. -- Yavor Doganov &lt;yavor(a)gnu.org&gt; Sat, 30 Sep 2017 13:54:45 +0300 ifupdown (0.8.34) unstable; urgency=medium VLAN interfaces that are marked allow-hotplug are now brought up automatically when the parent interface is hotplugged. -- Guus Sliepen &lt;guus(a)debian.org&gt; Fri, 25 May 2018 22:33:22 +0200 ifupdown (0.8.32) unstable; urgency=medium Since version 0.8, ifupdown allows concurrent calls of ifup and ifdown. While calls for the same interface will be serialized, calls for different interfaces can run in parallel. This is especially important during boot time, when the chance is high that multiple interfaces are being brought up concurrently. Ensure that any if-pre/post-up/down.d scripts you use are safe to run concurrently, as well as any pre/post-up/down commands in /etc/network/interfaces. -- Guus Sliepen &lt;guus(a)debian.org&gt; Wed, 04 Apr 2018 23:20:51 +0200 ifupdown (0.8.20) unstable; urgency=medium Ifupdown now supports pattern matching for interfaces. This will help writing /etc/network/interfaces for systems with changing interface names, or to simplify configuration for a large number of interfaces. The details are in the interfaces(5) manual page, and examples are provided in /usr/share/doc/ifupdown/examples/pattern-matching. -- Guus Sliepen &lt;guus(a)debian.org&gt; Tue, 10 Jan 2017 17:20:09 +0100 iptables (1.8.1-2) unstable; urgency=medium All the iptables binaries have been moved away from /sbin to /usr/sbin. Some compatibility symlinks have been added for the Buster release cycle, but please make sure your scripts aren't using hardcoded binary paths. The plan after Buster is to drop the symlinks. -- Arturo Borrero Gonzalez &lt;arturo(a)debian.org&gt; Wed, 25 Oct 2018 12:00:00 +0200 iptables (1.8.1-1) unstable; urgency=medium By default, this package will try to use the nf_tables kernel backend instead of the xtables one. Please, read more about this in /usr/share/doc/iptables/README.Debian, including details about the new update-alternatives configuration possibilities. This is a major update on the way iptables works and may have severe impact in running systems which are upgrading between Debian versions. The arptables and ebtables binaries are also affected, and those packages will be updated soon as well. -- Arturo Borrero Gonzalez &lt;arturo(a)debian.org&gt; Wed, 24 Oct 2018 14:00:00 +0200 linux-latest (86) unstable; urgency=medium * From Linux 4.13.10-1, AppArmor is enabled by default. This allows defining a "profile" for each installed program that can mitigate security vulnerabilities in it. However, an incorrect profile might disable some functionality of the program. In case you suspect that an AppArmor profile is incorrect, see <https://lists.debian.org/debian-devel/2017/11/msg00178.html> and consider reporting a bug in the package providing the profile. The profile may be part of the program's package or apparmor-profiles. -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Thu, 30 Nov 2017 20:08:25 +0000 linux-latest (81) unstable; urgency=medium * From Linux 4.10, the old 'virtual syscall' interface on 64-bit PCs (amd64) is disabled. This breaks chroot environments and containers that use (e)glibc 2.13 and earlier, including those based on Debian 7 or RHEL/CentOS 6. To re-enable it, set the kernel parameter: vsyscall=emulate -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Fri, 30 Jun 2017 23:50:03 +0100 mailman (1:2.1.26-1) unstable; urgency=medium This package contains the legacy 2.x branch of Mailman. Development happens in the Mailman 3 suite, available in Debian since this release via the 'mailman3-full' metapackage. They are both available in this release, so you can migrate at your own pace. This mailman (2.x) package will be kept in working order for the foreseeable future, but will not see any major changes or improvements. It will be removed from the first Debian release after Mailman upstream has stopped support for this branch. -- Thijs Kinkhorst &lt;thijs(a)debian.org&gt; Sat, 03 Feb 2018 09:30:22 +0000 mutt (1.9.1-4) unstable; urgency=medium Due to the switch to upstream mutt some behaviors will have changed. This includes the patch implementing implicit autoview of text/html parts upon Return. The upstream behavior makes use of either 'm' to explicitly view parts using mailcap or setting "auto_view text/html" to enable it explicitly. -- Antonio Radici &lt;antonio(a)debian.org&gt; Fri, 24 Nov 2017 19:04:39 +0000 mutt (1.9.1-1) unstable; urgency=medium Starting from this version, we switch mutt to the default source package obtained on mutt.org. Due to incompatible formatting changes the previous neomutt patch became bigger than the package itself and adopting it and naming it 'mutt' was not possible because the maintainer of Mutt objected on legal grounds. This means that, at least on this version, notmuch is not available and to enable the sidebar you will have to add 'set sidebar_visible' to your .muttrc (if you do not have it already). -- Antonio Radici &lt;antonio(a)debian.org&gt; Mon, 20 Nov 2017 21:38:53 +0000 needrestart (3.3-2) unstable; urgency=medium Starting with version 2.11-3+deb9u1 and 2.11+git20180213-1 needrestart does not restart services in non-interactive mode with the default configuration anymore. This change was a bugfix for #876459. Please have a look at #894444 for more information. -- Patrick Matthäi &lt;pmatthaei(a)debian.org&gt; Wed, 31 Oct 2018 15:39:31 +0100 newt (0.52.20-4) unstable; urgency=medium * Drop Priority: important for whiptail, to minimize system size. This means any package that requires 'whiptail' for dialogs in scripts, etc. must now explicitly depend on it. Closes: #893563 -- Alastair McKinstry &lt;mckinstry(a)debian.org&gt; Mon, 19 Mar 2018 13:07:22 +0000 openssh (1:7.9p1-1) unstable; urgency=medium OpenSSH 7.9 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). -- Colin Watson &lt;cjwatson(a)debian.org&gt; Sun, 21 Oct 2018 10:39:24 +0100 openssh (1:7.8p1-1) unstable; urgency=medium OpenSSH 7.8 includes a number of changes that may affect existing configurations: * ssh-keygen(1): Write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): Remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): Remove vestigial support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): The precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 -- Colin Watson &lt;cjwatson(a)debian.org&gt; Thu, 30 Aug 2018 15:35:27 +0100 openssh (1:7.6p1-1) unstable; urgency=medium OpenSSH 7.6 includes a number of changes that may affect existing configurations: * ssh(1): Delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): Do not offer CBC ciphers by default. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Fri, 06 Oct 2017 12:36:48 +0100 openssh (1:7.5p1-1) experimental; urgency=medium OpenSSH 7.5 includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Sun, 02 Apr 2017 02:58:01 +0100 openssl (1.1.1-2) unstable; urgency=medium Following various security recommendations, the default minimum TLS version has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple plan to do same around March 2020. The default security level for TLS connections has also be increased from level 1 to level 2. This moves from the 80 bit security level to the 112 bit security level and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger ECC keys, and SHA-2. The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications might also have a way to override the defaults. In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString line. The CipherString can also sets the security level. Information about the security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage. The list of valid strings for the minimum protocol version can be found in SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and config(5ssl). Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide defaults can be done using: MinProtocol = None CipherString = DEFAULT It's recommended that you contact the remote site in case the defaults cause problems. -- Kurt Roeckx &lt;kurt(a)roeckx.be&gt; Sun, 28 Oct 2018 20:58:35 +0100 powerline (2.6-2) unstable; urgency=medium Global powerline configuration data which affects all users may now be placed in the /etc/powerline directory. It will override the application defaults, but user-defined powerline configuration will still take precedence. Powerline merges configuration data from all available sources, so copying complete config files isn't required: only specific keys or sections may be defined in the global or user-defined locations. -- Jerome Charaoui &lt;jerome(a)riseup.net&gt; Wed, 30 May 2018 21:21:47 -0400 samba (2:4.6.5+dfsg-5) unstable; urgency=medium The samba service has been removed. Use the individual services instead: * nmbd * smbd * samba-ad-dc -- Mathieu Parent &lt;sathieu(a)debian.org&gt; Tue, 18 Jul 2017 22:52:05 +0200 spamassassin (3.4.2-1) unstable; urgency=medium Prior to version 3.4.2-1, spamd could be enabled by setting ENABLED=1 in /etc/default/spamassassin. This pattern is discouraged Debian, is not supported by the systemd unit file, and is considered deprecated. Instead, please use the update-rc.d command, invoked for example as "update-rc.d spamassassin enable", to enable the spamd service. -- Noah Meyerhans &lt;noahm(a)debian.org&gt; Sun, 23 Sep 2018 17:06:30 -0700 systemd (236-1) unstable; urgency=medium DynamicUser=yes has been enabled for systemd-journal-upload.service and systemd-journal-gatewayd.service. This means we no longer need to statically allocate a systemd-journal-upload and systemd-journal-gateway user and you can now safely remove those system users along with their associated groups. -- Michael Biebl &lt;biebl(a)debian.org&gt; Sun, 17 Dec 2017 21:17:32 +0100 util-linux (2.32-0.4) unstable; urgency=medium The util-linux implementation of /bin/su is now used, replacing the one previously supplied by src:shadow (shipped in login package), and bringing Debian in line with other modern distributions. The two implementations are very similar but have some minor differences (and there might be more that was not yet noticed ofcourse), e.g. - new 'su' (with no args, i.e. when preserving the environment) also preserves PATH and IFS, while old su would always reset PATH and IFS even in 'preserve environment' mode. - new 'su -' (creating new environment) will do just that, while old su would always preserve content of DISPLAY and XAUTHORITY environment variables. Set them as needed (but beware X doesn't give you any real privileges separation anyway if you can access an X server of another user). See pam_xauth(8) if you want to reconfigure pam for seamless xauth keys. - su '' (empty user string) used to give root, but now returns an error. - previously su only had one pam config, but now 'su -' is configured separately in /etc/pam.d/su-l. This file additionally invokes 'pam_keyinit' to revoke the session keyring. The first difference is probably the most user visible one. Doing plain 'su' is a really bad idea for many reasons, so using 'su -' is strongly recommended to always get a newly set up environment similar to a normal login. If you want to restore behaviour more similar to the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Fri, 03 Aug 2018 10:52:22 +0200 util-linux (2.29.2-3) experimental; urgency=medium * The cfdisk, fdisk and sfdisk utilities has been split out into a separate fdisk package. Any package needing these utilities should add a dependency on: fdisk | util-linux (<< 2.29.2-3~) (The second part of it makes the dependency also be fulfilled in case of stretch-backports and should be considered optional.) -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Sun, 06 Aug 2017 14:59:02 +0200 util-linux (2.29.2-2) unstable; urgency=medium * The deprecated 'pg' utility is no longer shipped. (Please use either 'more' or 'less' instead.) * The deprecated 'tunelp' utility is no longer shipped. (Parallell port printers are suspected to be extinct by now.) * The deprecated 'line' utility is no longer shipped. (Please use the 'head' utility instead.) * The deprecated 'tailf' utility is no longer shipped. (Please use 'tail -f' instead.) -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Mon, 13 Mar 2017 19:27:14 +0100 weechat (2.1-1) unstable; urgency=medium This release introduces a new headless client and a new PHP plugin for scripting (respectively weechat-headless and weechat-php binary packages). To avoid at least unnecessary dependencies, each plugin has its own separate binary package: weechat-{perl,python,ruby,lua,guile,javascript,php} Depending on your needs about scripting with weechat you should consider to install the missing packages. -- Emmanuel Bouthenot &lt;kolter(a)debian.org&gt; Wed, 21 Mar 2018 07:53:40 +0100 zsh (5.4.2-1) unstable; urgency=medium From the upstream README of 5.4.1: The common error message triggered by this change looks as follows: See https://bugs.debian.org/871816 for more information. -- Axel Beckert &lt;abe(a)debian.org&gt; Fri, 11 Aug 2017 21:43:25 +0200 apt-listchanges (3.14) unstable; urgency=low When displaying changelogs during upgrades is enabled, but no changelog file is provided by any of binary packages being processed together, then apt-listchanges will call `apt-get changelog' command to retrieve changes over network. (Similar functionality has existed in Ubuntu for ages, and was incorporated into Debian a few versions ago.) If for some reason, like limited network connectivity, this behavior is undesirable, it can be now disabled with the new `--no-network' option that can be also set using debconf interface: dpkg-reconfigure apt-listchanges Additionally the debconf interface was improved to manage a few older configuration options, for example `--email-format'. -- Robert Luberda &lt;robert(a)debian.org&gt; Sun, 09 Jul 2017 09:55:48 +0200 debconf (1.5.68) unstable; urgency=low From now on, Kde frontend requires debconf-kde-helper package. libqtcore4-perl and libqtgui4-perl packages can be safely removed. -- Modestas Vainius &lt;modax(a)debian.org&gt; Wed, 18 Jul 2018 21:12:23 +0100