Introduction

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.

Where to start

News

Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problems:

CVE-2014-3693:
   Use-After-Free in socket manager of Impress Remote

   It was discovered that LibreOffice 4.0.0 and later does not manage the port
   1599 for the LibreOffice Impress correctly. An external attackers with
   access to that port could cause the deleted port manager to continue to
   process attacker supplied data.

Note that this update also disables the remote contol per default as it
listens on port 1599 "to the world" per default. If you want/need it you
need to enable it manally:
   1. Open LibreOffice, go to "Tools -> Options..."
   2. Select "LibreOffice Impress -> General"
   3. Check "Presentation -> Enable remote control"

For the wheezy-backports distribution the problems have been fixed in
version 1:4.3.3~rc2-1~bpo70+1.
Posted Fri Nov 7 17:00:06 2014
Gunnar Wolf uploaded new packages for Drupal7 which fixed the
following security problems:

CVE 2014-3704 / SA-CORE-2014-005:
   Highly critical: Pre Auth SQL injection

   The expandArguments function in the database abstraction API in
   Drupal core 7.x before 7.32 does not properly construct prepared
   statements, which allows remote attackers to conduct SQL injection
   attacks via an array containing crafted keys.

   https://www.drupal.org/SA-CORE-2014-005
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
   https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

For the squeeze-backports distribution the problems have been fixed in
version 7.14-2+deb7u7~bpo60+1.

For the wheezy-backports distribution the problems have been fixed in
version 7.32-1~bpo70+1.
Posted Fri Oct 17 16:52:02 2014
Guido Trotter <ultrotter@debian.org> uploaded new packages for ganeti
(2.11.5-1~bpo70+1) which fixes the following security problems:

oCERT #2014-006 (CVE pending)
  Ganeti insecure archive permission
  http://www.ocert.org/advisories/ocert-2014-006.html
  (the full text of the advisory is also included in NEWS.Debian)

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 2.11.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 2.11.5-1~bpo70+1.

The stable distribution (wheezy) is not affected by this issue.
The old stable distribution (squeeze) is not affected by this issue.
The old stable backports (squeeze-backports) is not affected by this issue.
Posted Wed Aug 13 12:24:34 2014
Harlan Lieberman-Berg uploaded new packages for ansible which fixed
the following security problems:

CVE-2014-4966
  A bug was discovered by Brian Harring that could allow for the
  escalation of a local permission access level into an arbitrary code
  execution, by interpolation of maliciously crafted file names.

CVE-2014-4967
  A bug was discovered by Brian Harring concerning the unsafe parsing
  of action arguments when an attacker can control any variable data,
  including fact data, with_fileglob data, and others.  Depending on
  what module the attacker targets, the impact ranges from information
  disclosure to arbitrary shell code execution.

For the wheezy-backports distribution, these problems have been fixed
in version 1.6.8+dfsg-1~bpo70+1.

The stable distribution (wheezy) was not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1.6.8+dfsg-1.
Posted Wed Jul 23 19:55:09 2014
Rene Engelhard uploaded new packages for libreoffice which fixed the following
security problems:

CVE-2014-0247
  It was discovered that LibreOffice unconditionally executed certain VBA
  macros, contrary to user expectations.

  https://security-tracker.debian.org/tracker/CVE-2014-0247

The stable distribution (wheezy) is not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:4.2.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 1:4.2.5-1~bpo70+1.
Posted Tue Jun 24 16:13:20 2014
Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2014-2532 (DSA-2894-1)
  Jann Horn discovered that OpenSSH incorrectly handled wildcards in
  AcceptEnv lines.  A remote attacker could use this issue to trick
  OpenSSH into accepting any environment variable that contains the
  characters before the wildcard character.

  https://security-tracker.debian.org/tracker/CVE-2014-2532

CVE-2014-2653 (DSA-2894-1)
  Matthew Vernon reported that if a SSH server offers a HostCertificate
  that the ssh client doesn't accept, then the client doesn't check the
  DNS for SSHFP records.  As a consequence a malicious server can
  disable SSHFP-checking by presenting a certificate.

  Note that a host verification prompt is still displayed before
  connecting.

  https://security-tracker.debian.org/tracker/CVE-2014-2653

For the wheezy-backports distribution, these problems have been fixed in
version 1:6.6p1-4~bpo70+1.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1:5.5p1-6+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 1:6.0p1-4+deb7u1.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:6.6p1-1.
Posted Wed Apr 30 10:16:12 2014
Evgeni Golov uploaded new packages for mutt which fixed the
following security problems:

CVE-2014-0467 / DSA-2874-1
  Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the
  mutt mailreader. Malformed RFC2047 header lines could result in denial
  of service or potentially the execution of arbitrary code.

For the squeeze-backports distribution the problems have been fixed in
version 1.5.21-6.2+deb7u2~bpo60+1.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.5.20-9+squeeze3.

For the stable distribution (wheezy), this problem has been fixed in
version 1.5.21-6.2+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 1.5.22-2.

We recommend that you upgrade your mutt packages.
Posted Sat Mar 15 13:00:10 2014
Andreas Metzler  uploaded new packages for gnutls28 which fixed the
following security problems:

CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1
  Suman Jana reported that GnuTLS, deviating from the documented
  behavior considers a version 1 intermediate certificate as a CA
  certificate by default.

For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in gnutls26/2.12.23-12 and
gnutls28/3.2.11-1.

For the stable distribution this problem has been fixed in
gnutls26/2.12.20-8.
Posted Sat Feb 22 14:11:49 2014
intrigeri uploaded new packages for pidgin which fixed the following security
problems:

CVE-2013-6477
  Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by
  sending a message with a timestamp in the distant future.

CVE-2013-6478
  Pidgin could be crashed through overly wide tooltip windows.

CVE-2013-6479
  Jacob Appelbaum discovered that a malicious server or a "man in the middle"
  could send a malformed HTTP header resulting in denial of service.

CVE-2013-6481
  Daniel Atallah discovered that Pidgin could be crashed through malformed
  Yahoo! P2P messages.

CVE-2013-6482
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed MSN messages.

CVE-2013-6483
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed XMPP messages.

CVE-2013-6484
  It was discovered that incorrect error handling when reading the response from
  a STUN server could result in a crash.

CVE-2013-6485
  Matt Jones discovered a buffer overflow in the parsing of malformed
  HTTP responses.

CVE-2013-6487
  Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
  Gadu-Gadu messages.

CVE-2013-6489
  Yves Younan and Pawel Janic discovered an integer overflow when parsing
  MXit emoticons.

CVE-2013-6490
  Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

CVE-2014-0020
  Daniel Atallah discovered that Pidgin could be crashed via malformed
  IRC arguments.

For the squeeze-backports distribution the problems have been fixed in version
2.10.9-1~bpo60+1.

For the oldstable distribution (squeeze), no direct backport is provided.
One should use the fixed package from squeeze-backports instead.

For the stable distribution (wheezy), these problems have been fixed in version
2.10.9-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in version
2.10.9-1.
Posted Sat Feb 15 10:31:23 2014
intrigeri uploaded new packages for nss which fixed the
following security problems:

CVE-2013-1739 (DSA-2790-1)
  A flaw was found in the way the Mozilla Network Security Service library (nss)
  read uninitialized data when there was a decryption failure. A remote attacker
  could use this flaw to cause a denial of service (application crash) for
  applications linked with the nss library.

CVE-2013-5605 (DSA-2800-1)
  Andrew Tinits reported a potentially exploitable buffer overflow in the
  Mozilla Network Security Service library (nss). With a specially crafted
  request a remote attacker could cause a denial of service or possibly execute
  arbitrary code.

For the squeeze-backports distribution the problems have been fixed in
version 2:3.14.5-1~bpo60+1.

For the oldstable distribution (squeeze), the problems have been fixed in
version 3.12.8-1+squeeze7.

For the stable distribution (wheezy), the problems have been fixed in version
2:3.14.5-1.

For the testing (jessie) and unstable (sid) distributions, the problems have
been fixed in version 2:3.15.3-1.
Posted Sun Feb 9 13:55:55 2014