Introduction

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.

Where to start

News

Andreas Metzler  uploaded new packages for gnutls28 which fixed the
following security problems:

CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1
  Suman Jana reported that GnuTLS, deviating from the documented
  behavior considers a version 1 intermediate certificate as a CA
  certificate by default.

For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in gnutls26/2.12.23-12 and
gnutls28/3.2.11-1.

For the stable distribution this problem has been fixed in
gnutls26/2.12.20-8.
Posted Sat Feb 22 14:11:49 2014
intrigeri uploaded new packages for pidgin which fixed the following security
problems:

CVE-2013-6477
  Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by
  sending a message with a timestamp in the distant future.

CVE-2013-6478
  Pidgin could be crashed through overly wide tooltip windows.

CVE-2013-6479
  Jacob Appelbaum discovered that a malicious server or a "man in the middle"
  could send a malformed HTTP header resulting in denial of service.

CVE-2013-6481
  Daniel Atallah discovered that Pidgin could be crashed through malformed
  Yahoo! P2P messages.

CVE-2013-6482
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed MSN messages.

CVE-2013-6483
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed XMPP messages.

CVE-2013-6484
  It was discovered that incorrect error handling when reading the response from
  a STUN server could result in a crash.

CVE-2013-6485
  Matt Jones discovered a buffer overflow in the parsing of malformed
  HTTP responses.

CVE-2013-6487
  Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
  Gadu-Gadu messages.

CVE-2013-6489
  Yves Younan and Pawel Janic discovered an integer overflow when parsing
  MXit emoticons.

CVE-2013-6490
  Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

CVE-2014-0020
  Daniel Atallah discovered that Pidgin could be crashed via malformed
  IRC arguments.

For the squeeze-backports distribution the problems have been fixed in version
2.10.9-1~bpo60+1.

For the oldstable distribution (squeeze), no direct backport is provided.
One should use the fixed package from squeeze-backports instead.

For the stable distribution (wheezy), these problems have been fixed in version
2.10.9-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in version
2.10.9-1.
Posted Sat Feb 15 10:31:23 2014
intrigeri uploaded new packages for nss which fixed the
following security problems:

CVE-2013-1739 (DSA-2790-1)
  A flaw was found in the way the Mozilla Network Security Service library (nss)
  read uninitialized data when there was a decryption failure. A remote attacker
  could use this flaw to cause a denial of service (application crash) for
  applications linked with the nss library.

CVE-2013-5605 (DSA-2800-1)
  Andrew Tinits reported a potentially exploitable buffer overflow in the
  Mozilla Network Security Service library (nss). With a specially crafted
  request a remote attacker could cause a denial of service or possibly execute
  arbitrary code.

For the squeeze-backports distribution the problems have been fixed in
version 2:3.14.5-1~bpo60+1.

For the oldstable distribution (squeeze), the problems have been fixed in
version 3.12.8-1+squeeze7.

For the stable distribution (wheezy), the problems have been fixed in version
2:3.14.5-1.

For the testing (jessie) and unstable (sid) distributions, the problems have
been fixed in version 2:3.15.3-1.
Posted Sun Feb 9 13:55:55 2014
intrigeri uploaded new packages for xorg-server which fixed the
following security problem:

CVE-2013-4396
  Pedro Ribeiro discovered a use-after-free in the handling of
  ImageText requests in the Xorg Xserver, which could result in denial
  of service or privilege escalation.

  https://security-tracker.debian.org/tracker/CVE-2013-4396
  http://www.debian.org/security/2013/dsa-2784

For the squeeze-backports distribution, this problem has been fixed in
version 1.10.4-1~bpo60+2.

For the oldstable distribution (squeeze), this problem has been fixed
in version 1.7.7-17.

For the stable distribution (wheezy), this problem has been fixed in
version 1.12.4-6+deb7u1.

For the testing (jessie) and unstable (sid) distributions, this
problem has been fixed in version 1.14.3-4.
Posted Sun Dec 15 11:53:55 2013
Dominic Hargreaves uploaded new packages for python-django which fixed the
following security problems:

CVE-2013-6044

Nick Brunn reported a possible cross-site scripting vulnerability in
python-django, a high-level Python web development framework.

The is_safe_url utility function used to validate that a used URL is on
the current host to avoid potentially dangerous redirects from
maliciously-constructed querystrings, worked as intended for HTTP and
HTTPS URLs, but permitted redirects to other schemes, such as
javascript:.

The is_safe_url function has been modified to properly recognize and
reject URLs which specify a scheme other than HTTP or HTTPS, to prevent
cross-site scripting attacks through redirecting to other schemes.

CVE-2013-4315

Rainer Koirikivi discovered a directory traversal vulnerability with
'ssi' template tags in python-django, a high-level Python web
development framework.

It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting,
used to represent allowed prefixes for the {% ssi %} template tag, is
vulnerable to a directory traversal attack, by specifying a file path
which begins as the absolute path of a directory in
'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free.

To exploit this vulnerability an attacker must be in a position to alter
templates on the site, or the site to be attacked must have one or more
templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag.

CVE-2013-1443

It was discovered that python-django, a high-level Python web
develompent framework, is prone to a denial of service vulnerability
via large passwords.

A non-authenticated remote attacker could mount a denial of service by
submitting arbitrarily large passwords, tying up server resources in
the expensive computation of the corresponding hashes to verify the
password.

For the squeeze-backports distribution the problems have been fixed in
version 1.4.5-1+deb7u4~bpo60+1.
Posted Mon Dec 9 20:55:11 2013
Wouter Verhelst uploaded new packages for nbd which fixed the
following security problems:

CVE-2013-6410
  Incorrect parsing of the access control lists

For the squeeze-backports distribution the problem has been fixed in
version 1:3.2-4~deb7u4~bpo60+1

nbd is not present in any other backports repository.
Posted Wed Dec 4 15:57:10 2013
Updated strongswan packages for squeeze-backports and wheezy-backports
fix the following vulnerabilities:

- CVE-2013-2944: When using the openssl plugin for ECDSA based
  authentication, an empty, zeroed or otherwise invalid signature is
  handled as a legitimate one.

- CVE-2013-6075: DoS vulnerability and potential authorization bypass
  triggered by a crafted ID_DER_ASN1_DN ID payload.

- CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1
  fragmentation payloads.

The squeeze-backports distribution was affected by CVE-2013-2944 and
CVE-2013-6075. These problems have been fixed in version
4.5.2-1.5+deb7u2~bpo60+1.

The wheezy-backports distribution was affected by CVE-2013-6075 and
CVE-2013-6076. These problems have been fixed in version
5.1.0-3~bpo70+1.
Posted Tue Nov 12 22:20:01 2013
Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2013-4548
  A memory corruption vulnerability exists in the post-authentication
  sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or
  aes256-gcm@openssh.com) is selected during kex exchange.

  If exploited, this vulnerability might permit code execution with the
  privileges of the authenticated user and may therefore allow bypassing
  restricted shell/command configurations.

  https://security-tracker.debian.org/tracker/CVE-2013-4548

For the wheezy-backports distribution, this problem has been fixed in
version 1:6.4p1-1~bpo70+1.

For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 1:6.4p1-1.

Other distributions are not vulnerable.
Posted Tue Nov 12 22:20:01 2013
Package        : roundcube
Vulnerability  : design error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-6172
Debian Bug     : 727668

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.

roundcube in the oldstable distribution (squeeze) is not affected by
this problem.

For backports for the oldstable distribution (squeeze-backports-sloppy),
this problem has been fixed in 0.9.5-1~bpo60+1.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.

For backports for the stable distribution (wheezy-backports),
this problem has been fixed in 0.9.5-1~bpo70+1.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.4-1.1.

We recommend that you upgrade your roundcube packages.
Posted Tue Nov 12 21:33:26 2013
Dominic Hargreaves uploaded new packages for request-tracker4 which
fixed the following security problems:

CVE-2012-4733

    A user with the ModifyTicket right can bypass the DeleteTicket right
    or any custom lifecycle transition rights and thus modify ticket data
    without authorization.

CVE-2013-3368

    The rt command line tool uses semi-predictable temporary files. A
    malicious user can use this flaw to overwrite files with permissions
    of the user running the rt command line tool.

CVE-2013-3369

    A malicious user who is allowed to see administration pages can run
    arbitrary mason components (without control of arguments), which may
    have negative side-effects.

CVE-2013-3370

    Request Tracker allows direct requests to private callback
    components, which could be used to exploit a Request Tracker
    extension or a local callback which uses the arguments passed to it
    insecurely.

CVE-2013-3371

    Request Tracker is vulnerable to cross-site scripting attacks via
    attachment filenames.

CVE-2013-3372

    Dominic Hargreaves discovered that Request Tracker is vulnerable to
    an HTTP header injection limited to the value of the
    Content-Disposition header.

CVE-2013-3373

    Request Tracker is vulnerable to a MIME header injection in outgoing
    email generated by Request Tracker.

    Request Tracker stock templates are resolved by this update. But any
    custom email templates should be updated to ensure that values
    interpolated into mail headers do not contain newlines.

CVE-2013-3374

    Request Tracker is vulnerable to limited session re-use when using
    the file-based session store, Apache::Session::File. However Request
    Tracker's default session configuration only uses
    Apache::Session::File when configured for Oracle databases.

This version of Request Tracker includes a database content upgrade. If
you are using a dbconfig-managed database, you will be offered the
choice of applying this automatically. Otherwise see the explanation in
/usr/share/doc/request-tracker4/NEWS.Debian.gz for the manual steps to
perform.

Please note that if you run request-tracker4 under the Apache web
server, you must stop and start Apache manually. The "restart" mechanism
is not recommended, especially when using mod_perl or any form of
persistent perl process such as FastCGI or SpeedyCGI.

For the squeeze-backports distribution the problems have been fixed in
version 4.0.7-5+deb7u2~bpo60+1.
Posted Thu Jun 20 20:20:26 2013