Introduction

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.

Where to start

News

Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problem:

CVE-2015-1774:
   It was discovered that missing input sanitising in Libreoffice's filter
   for HWP documents may result in the execution of arbitrary code if a
   malformed document is opened.

For the squeeze-backports distribution the problem has been fixed in
version 1:3.5.4+dfsg2-0deb7u4~bpo60+1.

For the wheezy-backports distribution the problem has been fixed in
version 1:4.3.3-2+deb8u1~bpo70+1.
Posted Mon Apr 27 03:55:40 2015
      Dear users of the backports service!

 With the release of Jessie (coming up) we are pleased to open the doors
for jessie-backports and wheezy-backports-sloppy (mostly all
architectures are already buildable there, too).  Whee!

 But, PLEASE DO READ ON, there are some changes in the process that we
would like to do for the new upload pockets.


== What to upload where ==

 As a reminder, uploads to a release-backports pocket are to be taken
from release + 1, uploads to a release-backports-sloppy pocket are to be
taken from release + 2.  Which means:

 Source Distribution | Backports Distribution | Sloppy Distribution
---------------------|------------------------|--------------------------
 stretch             | jessie-backports       | wheezy-backports-sloppy
 jessie              | wheezy-backports       | squeeze-backports-sloppy


== We drop -v switch hard requirement ==

 We required uploads to contain the changelog entries since the former
version in stable in the changes file.  This was quite convenient for
people reading the changes through the changes mailinglist but
especially also for the backports team when processing packages.

 Given that the changelogs of former backports and the packages
backported are available through the packages.debian.org website
(amongst other sources) and that it was annoying to both backporters and
also us as backports team we are dropping it as hard requirement.  It
would still be pretty awesome for the above mentioned reasons if you
could keep it as part of your workflow, especially for uploads that end
in the policy queue, but we won't reject packages based solely on that
nymore.


== Versioning ==

 Previous we used ~bpo70+1 as suffix for the versions of uploads.  We
were asked whether we might want to align that with the other suffixes
used and drop the zero from within there, and yes, we will drop it.
This means that uploads to jessie-backports should use ~bpo8+1 as
suffix, and also wheezy-backports-sloppy uses ~bpo7+1 as suffix.

 For wheezy-backports please still use ~bpo70+1 version suffixes
because of sorting reasoning, especially if there are also
squeeze-backports-sloppy packages around.  Which brings us to ...


== squeeze-backports* ==

 As you are probably aware, squeeze is still a supported release through
LTS.  The same goes for the squeeze-backports* suites, you can consider
them to be around for the same timeframe that LTS is going to be around.


== Statistics ==

 For packages backported from jessie, so far we have 995 different
source packages in wheezy-backports, and 27 different source packages in
squeeze-backports-sloppy.  Those 995 source packages took 1729 uploads
to become reality.


== Thanks ==

 Thanks have to go out to all people making backports possible, and that
includes up front the backporters themself who do upload the packages,
track and update them on a regular basis, but also the buildd team
making the autobuilding possible and the ftp masters for creating the
suites in the first place.

 Enjoy, and continue being awesome!
Rhonda, on behalf of the Backports Team
Posted Sun Apr 26 06:34:33 2015
Matthew Vernon uploaded new packages for shibboleth-sp which fixed the
following security problems:

CVE-2015-2684
  A denial of service vulnerability was found in the Shibboleth (a
  federated identity framework) Service Provider. When processing
  certain malformed SAML messages generated by an authenticated
  attacker, the daemon could crash.

For the wheezy-backports distribution the problems have been fixed in
version 2.5.3+dfsg-2~bpo70+1.
Posted Tue Apr 14 11:18:29 2015
Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the
following security problems:

CVE-2014-9472
  Remote DoS via email gateway

CVE-2015-1165
  Information discloure revealing RSS feed URLs

CVE-2015-1464
  Privilege escalation via RSS feed URLs

For the wheezy-backports distribution the problems have been fixed in
version 4.0.19-1~bpo70+2.

The problems have been fixed in other distributions as follows:

* sid/jessie: 4.2.8-3
* wheezy: 4.0.7-5+deb7u3.
* squeeze-backports: 4.0.7-5+deb7u3~bpo60+1
* squeeze-lts: 3.8.8-7+squeeze9 (of request-tracker3.8)
Posted Sat Mar 21 13:17:04 2015
Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problems:

CVE-2014-3693:
   Use-After-Free in socket manager of Impress Remote

   It was discovered that LibreOffice 4.0.0 and later does not manage the port
   1599 for the LibreOffice Impress correctly. An external attackers with
   access to that port could cause the deleted port manager to continue to
   process attacker supplied data.

Note that this update also disables the remote contol per default as it
listens on port 1599 "to the world" per default. If you want/need it you
need to enable it manally:
   1. Open LibreOffice, go to "Tools -> Options..."
   2. Select "LibreOffice Impress -> General"
   3. Check "Presentation -> Enable remote control"

For the wheezy-backports distribution the problems have been fixed in
version 1:4.3.3~rc2-1~bpo70+1.
Posted Fri Nov 7 17:00:06 2014
Gunnar Wolf uploaded new packages for Drupal7 which fixed the
following security problems:

CVE 2014-3704 / SA-CORE-2014-005:
   Highly critical: Pre Auth SQL injection

   The expandArguments function in the database abstraction API in
   Drupal core 7.x before 7.32 does not properly construct prepared
   statements, which allows remote attackers to conduct SQL injection
   attacks via an array containing crafted keys.

   https://www.drupal.org/SA-CORE-2014-005
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
   https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

For the squeeze-backports distribution the problems have been fixed in
version 7.14-2+deb7u7~bpo60+1.

For the wheezy-backports distribution the problems have been fixed in
version 7.32-1~bpo70+1.
Posted Fri Oct 17 16:52:02 2014
Guido Trotter <ultrotter@debian.org> uploaded new packages for ganeti
(2.11.5-1~bpo70+1) which fixes the following security problems:

oCERT #2014-006 (CVE pending)
  Ganeti insecure archive permission
  http://www.ocert.org/advisories/ocert-2014-006.html
  (the full text of the advisory is also included in NEWS.Debian)

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 2.11.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 2.11.5-1~bpo70+1.

The stable distribution (wheezy) is not affected by this issue.
The old stable distribution (squeeze) is not affected by this issue.
The old stable backports (squeeze-backports) is not affected by this issue.
Posted Wed Aug 13 12:24:34 2014
Harlan Lieberman-Berg uploaded new packages for ansible which fixed
the following security problems:

CVE-2014-4966
  A bug was discovered by Brian Harring that could allow for the
  escalation of a local permission access level into an arbitrary code
  execution, by interpolation of maliciously crafted file names.

CVE-2014-4967
  A bug was discovered by Brian Harring concerning the unsafe parsing
  of action arguments when an attacker can control any variable data,
  including fact data, with_fileglob data, and others.  Depending on
  what module the attacker targets, the impact ranges from information
  disclosure to arbitrary shell code execution.

For the wheezy-backports distribution, these problems have been fixed
in version 1.6.8+dfsg-1~bpo70+1.

The stable distribution (wheezy) was not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1.6.8+dfsg-1.
Posted Wed Jul 23 19:55:09 2014
Rene Engelhard uploaded new packages for libreoffice which fixed the following
security problems:

CVE-2014-0247
  It was discovered that LibreOffice unconditionally executed certain VBA
  macros, contrary to user expectations.

  https://security-tracker.debian.org/tracker/CVE-2014-0247

The stable distribution (wheezy) is not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:4.2.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 1:4.2.5-1~bpo70+1.
Posted Tue Jun 24 16:13:20 2014
Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2014-2532 (DSA-2894-1)
  Jann Horn discovered that OpenSSH incorrectly handled wildcards in
  AcceptEnv lines.  A remote attacker could use this issue to trick
  OpenSSH into accepting any environment variable that contains the
  characters before the wildcard character.

  https://security-tracker.debian.org/tracker/CVE-2014-2532

CVE-2014-2653 (DSA-2894-1)
  Matthew Vernon reported that if a SSH server offers a HostCertificate
  that the ssh client doesn't accept, then the client doesn't check the
  DNS for SSHFP records.  As a consequence a malicious server can
  disable SSHFP-checking by presenting a certificate.

  Note that a host verification prompt is still displayed before
  connecting.

  https://security-tracker.debian.org/tracker/CVE-2014-2653

For the wheezy-backports distribution, these problems have been fixed in
version 1:6.6p1-4~bpo70+1.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1:5.5p1-6+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 1:6.0p1-4+deb7u1.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:6.6p1-1.
Posted Wed Apr 30 10:16:12 2014