News from 2017...

in january

terminology (1.0.0-1+adr1)

UTC Sun, 29 Jan 2017 13:10:10
  • New upstream release 1.0.0
  • Bold/Italic support (on by default)
  • Add keybinding shift+home to go to the top of the backlog
  • Add keybinding shift+end to reset scroll
  • Add keybinding shift+left/right to switch between tabs
  • Add keybinding ctrl+alt+t to change terminal's title
  • Add ability to copy links on right-click menu
  • Font size can be changed by escape sequence
  • Rewrite link detection to be more efficient
  • Sanitize SHELL environment variable when using it
  • Fix selections
  • Fixes about escape sequences managing tabs
  • Many fixes

ansible (

UTC Sun, 29 Jan 2017 13:27:13
  • Merge patches from Debian
  • New upstream release
    • Security fix for CVE-2016-9587 - An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as.
    • Fixes a bug where undefined variables in with_* loops would cause a task failure even if the when condition would cause the task to be skipped.
    • Fixed a bug related to roles where in certain situations a role may be run more than once despite not allowing duplicates.
    • Fixed some additional bugs related to atomic_move for modules.
    • Fixes multiple bugs related to field/attribute inheritance in nested blocks and includes, as well as task iteration logic during failures.
    • Fixed pip installing packages into virtualenvs using the system pip instead of the virtualenv pip.
    • Fixed dnf on systems with dnf-2.0.x (some changes in the API).
    • Fixed traceback with dnf install of groups.
    • Fixes a bug in which include_vars was not working with failed_when.
    • Fix for include_vars only loading files with .yml, .yaml, and .json extensions. This was only supposed to apply to loading a directory of vars files.
    • Fixes several bugs related to properly incrementing the failed count in the host statistics.
    • Fixes a bug with listening handlers which did not specify a name field.
    • Fixes a bug with the play_hosts internal variable, so that it properly reflects the current list of hosts.
    • Fixes a bug related to the v2_playbook_on_start callback method and legacy (v1) plugins.
    • Fixes an openssh related process exit race condition, related to the fact that connections using ControlPersist do not close stderr.
    • Improvements and fixes to OpenBSD fact gathering.
    • Updated make deb to use pbuilder. Use make local_deb for the previous non-pbuilder build.
    • Fixed Windows async to avoid blocking due to handle inheritance.
    • Fixed bugs in the mount module on older Linux kernels and *BSDs
    • Various minor fixes for Python 3
    • Inserted some checks for jinja2-2.9, which can cause some issues with Ansible currently.
  • New upstream release
  • Somes fixes and changes:
    • Security fix for CVE-2016-8628 - Command injection by compromised server via fact variables. In some situations, facts returned by modules could overwrite connection-based facts or some other special variables, leading to injected commands running on the Ansible controller as the user running Ansible (or via escalated permissions).
    • Security fix for CVE-2016-8614 - apt_key module not properly validating keys in some situations.
    • Added the listen feature for modules. This feature allows tasks to more easily notify multiple handlers, as well as making it easier for handlers from decoupled roles to be notified.
    • Added support for binary modules
    • Added the ability to specify serial batches as a list (serial: [1, 5, 10]), which allows for so-called "canary" actions in one play.
    • Fixed 'local type' plugins and actions to have a more predictable relative path. Fixes a regression of 1.9 (PR #16805). Existing users of 2.x will need to adjust related tasks.
    • meta tasks can now use conditionals.
    • raw now returns changed: true to be consistent with shell/command/script modules. Add changed_when: false to raw tasks to restore the pre-2.2 behavior if necessary.n
    • Added a new meta option: end_play, which can be used to skip to the end of a play.
    • roles can now be included in the middle of a task list via the new include_role module, this also allows for making the role import 'loopable' and/or conditional.
    • The service module has been changed to use system specific modules if they exist and fall back to the old service module if they cannot be found or detected.
    • Add ability to specify what ssh client binary to use on the controller. This can be configured via ssh_executable in the ansible config file or by setting ansible_ssh_executable as an inventory variable if different ones are needed for different hosts.
  • Network:
    • Refactored all network modules to remove duplicate code and take advantage of Ansiballz implementation
    • All functionality from *_template network modules have been combined into *_config module
    • Network *_command modules not longer allow configuration mode statements
  • Some new modules:
    • apache2_mod_proxy
    • digital_ocean_block_storage
    • docker (docker_network)
    • include_role
    • jenkins (jenkins_job, jenkins_plugin)
    • kibana_plugin
    • lxd (lxd_profile, lxd_container)
    • github (github_key, github_release)
    • google (gcdns_record, gcdns_zone, gce_mig)
    • vmware (vmware_guest, vmware_local_user_manager, vmware_vmotion)
  • Incompatible Changes:
    • Use of _fixup_perms with recursive=True (the default) is no longer supported. Custom action plugins using _fixup_perms will require changes unless they already use recursive=False. Use _fixup_perms2 if support for previous releases is not required. Otherwise use _fixup_perms with recursive=False.

in march

curl (7.52.1-adr1~jessie)

UTC Sun, 05 Mar 2017 19:01:20
  • Merge patches from Debian
  • New upstream release 7.52.1:
    • Make SSL_VERIFYSTATUS work again as per CVE-2017-2629
    • Fix HTTPS connection timeout with OpenSSL (Closes: #852317)
    • Fix printf floating point buffer overflow as per CVE-2016-9586 (Closes: #848958)
  • New upstream release 7.51.0:
    • Fix cookie injection for other servers as per CVE-2016-8615
    • Fix case insensitive password comparison as per CVE-2016-8616
    • Fix OOB write via unchecked multiplication as per CVE-2016-8617
    • Fix double-free in curl_maprintf as per CVE-2016-8618
    • Fix double-free in krb5 code as per CVE-2016-8619
    • Fix glob parser write/read out of bounds as per CVE-2016-8620
    • Fix curl_getdate read out of bounds as per CVE-2016-8621
    • Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
    • Fix use-after-free via shared cookies as per CVE-2016-8623
    • Fix invalid URL parsing with '#' as per CVE-2016-8624
    • Fix IDNA 2003 makes curl use wrong host
    • Fix escape and unescape integer overflows as per CVE-2016-7167 (Closes: #837945)
    • Fix incorrect reuse of client certificates (NSS backend) as per CVE-2016-7141 (Closes: #836918)
  • New upstream release 7.50.0:
    • Fix TLS session resumption client cert bypass as per CVE-2016-5419
    • Fix re-using connection with wrong client cert as per CVE-2016-5420
    • Fix use of connection struct after free as per CVE-2016-5421
    • Support OpenSSL 1.1 (Closes: #828127)

bind9 (1:9.9.5.dfsg-9+deb8u10+adr10~jessie)

UTC Sun, 05 Mar 2017 19:13:43
  • Merge 9.9.5.dfsg-9+deb8u7 from Debian:
    • [Florian Weimer] CVE-2016-2775: lwresd crash with long query name. Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232. Closes: #831796.
    • [Florian Weimer] CVE-2016-2776: assertion failure due to unspecified crafted query. Fix based on 43139-9-9.patch from ISC. Closes: #839010.
  • Merge 9.9.5.dfsg-9+deb8u8 from Debian:
    • [Florian Weimer] CVE-2016-8864: Fix assertion failure in DNAME processing with patch provided by ISC.
  • Merge 9.9.5.dfsg-9+deb8u9 from Debian:
    • [Florian Weimer] Apply patches from ISC.
    • [Florian Weimer] CVE-2016-9131: Assertion failure related to caching of TKEY records in upstream DNS responses.
    • [Florian Weimer] CVE-2016-9147: Processing of RRSIG records in upstream DNS response without corresponding signed data could lead to an assertion failure.
    • [Florian Weimer] CVE-2016-9444: Missing RRSIG records in the authority section of upstream responses could lead to an assertion failure.
    • [Florian Weimer] RT #43779: Fix handling of CNAME/DNAME responses. (Regression due to the CVE-2016-8864 fix.)
  • Merge 9.9.5.dfsg-9+deb8u10 from Debian:
    • [Michael Gilbert] Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
    • [Michael Gilbert] Fix CVE-2017-3135: a malicously crafted query can cause named to crash if both DNS64 and RPZ are being used (closes: #855520).
  • Create new patch from Debian diff

nginx (1.10.3-adr1~jessie)

UTC Sun, 12 Mar 2017 15:18:03
  • New upstream release (1.10.3)
  • Bugfix: in the "add_after_body" directive when used with the "sub_filter" directive.
  • Bugfix: unix domain listen sockets might not be inherited during binary upgrade on Linux.
  • Bugfix: graceful shutdown of old worker processes might require infinite time when using HTTP/2.
  • Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives client request body might be corrupted; the bug had appeared in 1.10.2.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.10.2.
  • Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8.
  • Bugfix: a truncated response might be stored in cache when using the "aio_write" directive.
  • Bugfix: a socket leak might occur when using the "aio_write" directive.

terminology (1.0.0-1+adr2~jessie)

UTC Sun, 12 Mar 2017 15:24:00
  • Add patches from git:
    • 01: terminology tabs resize - fix access of invalid memory beyond bounds
    • 02: controls: clean up code
    • 03: win: double click on tab title to change it. Closes T3143
    • 04: pty: fallback to ~ or / when creating new term if current dir is not available. Closes T5186
    • 05: may fix mouse motion reporting. T4874
    • 06: termio: remove dead code. CID1371738
    • 07: termio: reset size when size looks boggus.