apt (1.8.0~alpha3) unstable; urgency=medium The PATH for running dpkg is now configured by the option DPkg::Path, and defaults to "/usr/sbin:/usr/bin:/sbin:/bin". Previous behavior of not changing PATH may be restored by setting the option to an empty string. Support for /etc/apt/auth.conf.d/ has been added, see apt_auth.conf(5). -- Julian Andres Klode &lt;jak(a)debian.org&gt; Tue, 18 Dec 2018 15:02:11 +0100 apt (1.6~rc1) unstable; urgency=medium Seccomp sandboxing has been turned off by default for now. If it works for you, you are encouraged to re-enable it by setting APT::Sandbox::Seccomp to true. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Fri, 06 Apr 2018 14:14:29 +0200 apt (1.6~beta1) unstable; urgency=medium APT now verifies that the date of Release files is not in the future. By default, it may be 10 seconds in the future to allow for some clock drift. Two new configuration options can be used to tweak the behavior: Acquire::Check-Date Acquire::Max-DateFuture These can be overridden in sources.list entries using the check-date and date-future-max options. Note that disabling check-date also disables checks on valid-until: It is considered to mean that your machine's time is not reliable. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Mon, 26 Feb 2018 13:14:13 +0100 apt (1.6~alpha1) unstable; urgency=medium All methods provided by apt except for cdrom, gpgv, and rsh now use seccomp-BPF sandboxing to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. Three options can be used to configure this further: APT::Sandbox::Seccomp is a boolean to turn it on/off APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow Also, sandboxing is now enabled for the mirror method. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Mon, 23 Oct 2017 01:58:18 +0200 apt (1.5~beta1) unstable; urgency=medium [ New HTTPS method ] The default http method now supports HTTPS itself, including encrypted proxies and connecting to HTTPS sites via HTTPS proxies; and the apt-transport-https package only provides a "curl+https" method now as a fallback, but will be removed shortly. If TLS support is unwanted, it can be disabled overall by setting the option Acquire::AllowTLS to "false". As for backwards compatibility, the options IssuerCert and SslForceVersion are not supported anymore, and any specified certificate files must be in the PEM format (curl might have allowed DER files as well). [ Changes to unauthenticated repositories ] The security exception for apt-get to only raise warnings if it encounters unauthenticated repositories in the "update" command is gone now, so that it will raise errors just like apt and all other apt-based front-ends do since at least apt version 1.3. It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous behaviour of apt-get by setting the option Binary::apt-get::Acquire::AllowInsecureRepositories "true"; See apt-secure(8) manpage for configuration details. [ Release Info Changes ] If values like Origin, Label, and Codename change in a Release file, update fails, or asks a user (if interactive). Various --allow-releaseinfo-change are provided for non-interactive use. -- Julian Andres Klode &lt;jak(a)debian.org&gt; Mon, 03 Jul 2017 15:09:23 +0200 fail2ban (0.10.2-1) unstable; urgency=medium This version is a major development leap forward to provide IPv6 support, which also required extensions to the configuration system. That is why it is not unlikely that configuration left from the previous version(s) would either not work or would not work as intended. You are advised to accept new configuration and adjust it for your customizations (if any). See changelog.Debian.gz for more information. -- Yaroslav Halchenko &lt;debian(a)onerussian.com&gt; Sun, 21 Jan 2018 22:25:26 -0500 fish (3.0.0-1) unstable; urgency=medium fish 3 is a major release, which introduces some breaking changes alongside improved functionality. Although most existing scripts will continue to work, they should be reviewed against the list contained in the release notes: /usr/share/doc/fish/changelog.gz -- Mo Zhou &lt;cdluminate(a)gmail.com&gt; Wed, 09 Jan 2019 02:35:17 +0000 fontconfig (2.12.3-0.2) unstable; urgency=medium Starting with version 2.12, fontconfig is using "Slight" (hintslight) as automatic hinting style. This might change the rendering of the fonts. If you want the to restore the old hinting, run "dpkg-reconfigure fontconfig-config" and select "Full" as hinting style. -- Laurent Bigonville &lt;bigon(a)debian.org&gt; Tue, 04 Jul 2017 21:10:57 +0200 gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium In this version we adopt GnuPG's upstream approach of making keyserver access default to self-sigs-only. This defends against receiving flooded OpenPGP certificates. To revert to the previous behavior (not recommended!), add the following directive to ~/.gnupg/gpg.conf: keyserver-options no-self-sigs-only We also adopt keys.openpgp.org as the default keyserver, since it avoids the associated bandwidth waste of fetching third-party certifications that will not be used. To revert to the older SKS keyserver network (not recommended!), add the following directive to ~/.gnupg/dirmngr.conf: keyserver hkps://hkps.pool.sks-keyservers.net Note: we do *not* adopt upstream's choice of import-clean for the keyserver default, since it can lead to data loss, see https://dev.gnupg.org/T4628 for more details. -- Daniel Kahn Gillmor &lt;dkg(a)fifthhorseman.net&gt; Wed, 21 Aug 2019 14:53:47 -0400 ifupdown (0.8.34) unstable; urgency=medium VLAN interfaces that are marked allow-hotplug are now brought up automatically when the parent interface is hotplugged. -- Guus Sliepen &lt;guus(a)debian.org&gt; Fri, 25 May 2018 22:33:22 +0200 ifupdown (0.8.32) unstable; urgency=medium Since version 0.8, ifupdown allows concurrent calls of ifup and ifdown. While calls for the same interface will be serialized, calls for different interfaces can run in parallel. This is especially important during boot time, when the chance is high that multiple interfaces are being brought up concurrently. Ensure that any if-pre/post-up/down.d scripts you use are safe to run concurrently, as well as any pre/post-up/down commands in /etc/network/interfaces. -- Guus Sliepen &lt;guus(a)debian.org&gt; Wed, 04 Apr 2018 23:20:51 +0200 ifupdown (0.8.20) unstable; urgency=medium Ifupdown now supports pattern matching for interfaces. This will help writing /etc/network/interfaces for systems with changing interface names, or to simplify configuration for a large number of interfaces. The details are in the interfaces(5) manual page, and examples are provided in /usr/share/doc/ifupdown/examples/pattern-matching. -- Guus Sliepen &lt;guus(a)debian.org&gt; Tue, 10 Jan 2017 17:20:09 +0100 iptables (1.8.1-2) unstable; urgency=medium All the iptables binaries have been moved away from /sbin to /usr/sbin. Some compatibility symlinks have been added for the Buster release cycle, but please make sure your scripts aren't using hardcoded binary paths. The plan after Buster is to drop the symlinks. -- Arturo Borrero Gonzalez &lt;arturo(a)debian.org&gt; Wed, 25 Oct 2018 12:00:00 +0200 iptables (1.8.1-1) unstable; urgency=medium By default, this package will try to use the nf_tables kernel backend instead of the xtables one. Please, read more about this in /usr/share/doc/iptables/README.Debian, including details about the new update-alternatives configuration possibilities. This is a major update on the way iptables works and may have severe impact in running systems which are upgrading between Debian versions. The arptables and ebtables binaries are also affected, and those packages will be updated soon as well. -- Arturo Borrero Gonzalez &lt;arturo(a)debian.org&gt; Wed, 24 Oct 2018 14:00:00 +0200 mutt (1.9.1-4) unstable; urgency=medium Due to the switch to upstream mutt some behaviors will have changed. This includes the patch implementing implicit autoview of text/html parts upon Return. The upstream behavior makes use of either 'm' to explicitly view parts using mailcap or setting "auto_view text/html" to enable it explicitly. -- Antonio Radici &lt;antonio(a)debian.org&gt; Fri, 24 Nov 2017 19:04:39 +0000 mutt (1.9.1-1) unstable; urgency=medium Starting from this version, we switch mutt to the default source package obtained on mutt.org. Due to incompatible formatting changes the previous neomutt patch became bigger than the package itself and adopting it and naming it 'mutt' was not possible because the maintainer of Mutt objected on legal grounds. This means that, at least on this version, notmuch is not available and to enable the sidebar you will have to add 'set sidebar_visible' to your .muttrc (if you do not have it already). -- Antonio Radici &lt;antonio(a)debian.org&gt; Mon, 20 Nov 2017 21:38:53 +0000 needrestart (3.3-2) unstable; urgency=medium Starting with version 2.11-3+deb9u1 and 2.11+git20180213-1 needrestart does not restart services in non-interactive mode with the default configuration anymore. This change was a bugfix for #876459. Please have a look at #894444 for more information. -- Patrick Matthäi &lt;pmatthaei(a)debian.org&gt; Wed, 31 Oct 2018 15:39:31 +0100 newt (0.52.20-4) unstable; urgency=medium * Drop Priority: important for whiptail, to minimize system size. This means any package that requires 'whiptail' for dialogs in scripts, etc. must now explicitly depend on it. Closes: #893563 -- Alastair McKinstry &lt;mckinstry(a)debian.org&gt; Mon, 19 Mar 2018 13:07:22 +0000 openssh (1:7.9p1-1) unstable; urgency=medium OpenSSH 7.9 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). -- Colin Watson &lt;cjwatson(a)debian.org&gt; Sun, 21 Oct 2018 10:39:24 +0100 openssh (1:7.8p1-1) unstable; urgency=medium OpenSSH 7.8 includes a number of changes that may affect existing configurations: * ssh-keygen(1): Write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): Remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): Remove vestigial support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): The precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 -- Colin Watson &lt;cjwatson(a)debian.org&gt; Thu, 30 Aug 2018 15:35:27 +0100 openssh (1:7.6p1-1) unstable; urgency=medium OpenSSH 7.6 includes a number of changes that may affect existing configurations: * ssh(1): Delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): Do not offer CBC ciphers by default. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Fri, 06 Oct 2017 12:36:48 +0100 openssh (1:7.5p1-1) experimental; urgency=medium OpenSSH 7.5 includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. -- Colin Watson &lt;cjwatson(a)debian.org&gt; Sun, 02 Apr 2017 02:58:01 +0100 util-linux (2.32-0.4) unstable; urgency=medium The util-linux implementation of /bin/su is now used, replacing the one previously supplied by src:shadow (shipped in login package), and bringing Debian in line with other modern distributions. The two implementations are very similar but have some minor differences (and there might be more that was not yet noticed ofcourse), e.g. - new 'su' (with no args, i.e. when preserving the environment) also preserves PATH and IFS, while old su would always reset PATH and IFS even in 'preserve environment' mode. - new 'su -' (creating new environment) will do just that, while old su would always preserve content of DISPLAY and XAUTHORITY environment variables. Set them as needed (but beware X doesn't give you any real privileges separation anyway if you can access an X server of another user). See pam_xauth(8) if you want to reconfigure pam for seamless xauth keys. - su '' (empty user string) used to give root, but now returns an error. - previously su only had one pam config, but now 'su -' is configured separately in /etc/pam.d/su-l. This file additionally invokes 'pam_keyinit' to revoke the session keyring. The first difference is probably the most user visible one. Doing plain 'su' is a really bad idea for many reasons, so using 'su -' is strongly recommended to always get a newly set up environment similar to a normal login. If you want to restore behaviour more similar to the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Fri, 03 Aug 2018 10:52:22 +0200 util-linux (2.29.2-3) experimental; urgency=medium * The cfdisk, fdisk and sfdisk utilities has been split out into a separate fdisk package. Any package needing these utilities should add a dependency on: fdisk | util-linux (<< 2.29.2-3~) (The second part of it makes the dependency also be fulfilled in case of stretch-backports and should be considered optional.) -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Sun, 06 Aug 2017 14:59:02 +0200 util-linux (2.29.2-2) unstable; urgency=medium * The deprecated 'pg' utility is no longer shipped. (Please use either 'more' or 'less' instead.) * The deprecated 'tunelp' utility is no longer shipped. (Parallell port printers are suspected to be extinct by now.) * The deprecated 'line' utility is no longer shipped. (Please use the 'head' utility instead.) * The deprecated 'tailf' utility is no longer shipped. (Please use 'tail -f' instead.) -- Andreas Henriksson &lt;andreas(a)fatal.se&gt; Mon, 13 Mar 2017 19:27:14 +0100 zsh (5.4.2-1) unstable; urgency=medium From the upstream README of 5.4.1: The common error message triggered by this change looks as follows: See https://bugs.debian.org/871816 for more information. -- Axel Beckert &lt;abe(a)debian.org&gt; Fri, 11 Aug 2017 21:43:25 +0200 apt-listchanges (3.14) unstable; urgency=low When displaying changelogs during upgrades is enabled, but no changelog file is provided by any of binary packages being processed together, then apt-listchanges will call `apt-get changelog' command to retrieve changes over network. (Similar functionality has existed in Ubuntu for ages, and was incorporated into Debian a few versions ago.) If for some reason, like limited network connectivity, this behavior is undesirable, it can be now disabled with the new `--no-network' option that can be also set using debconf interface: dpkg-reconfigure apt-listchanges Additionally the debconf interface was improved to manage a few older configuration options, for example `--email-format'. -- Robert Luberda &lt;robert(a)debian.org&gt; Sun, 09 Jul 2017 09:55:48 +0200 debconf (1.5.68) unstable; urgency=low From now on, Kde frontend requires debconf-kde-helper package. libqtcore4-perl and libqtgui4-perl packages can be safely removed. -- Modestas Vainius &lt;modax(a)debian.org&gt; Wed, 18 Jul 2018 21:12:23 +0100 munin-node (2.0.42-1) unstable; urgency=low The mysql_* plugins no longer use the "debian-sys-maint" account for accessing the mysql database, but use "root" instead. This is based on authentication via unix socket (introduced in mariadb v10.0). You may need to override the munin plugin configuration for "mysql_*" (e.g. in /etc/munin/plugin-conf.d/foo) if your mariadb server was upgraded from a mysql server package and thus does not support unix socket based authentication. This situation can be tested by running "mysql -u root" without providing a password. No action is required, if this works for you. -- Lars Kruse &lt;devel(a)sumpfralle.de&gt; Sun, 05 Aug 2018 03:03:58 +0200