Introduction
You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
News
Dear users of the backports service!
The Backports Team is pleased to announce the next important step
on getting backports more integrated. People who are reading
debian-infrastructure-announce[1] will have seen that there was an
archive maintenance last weekend: starting with wheezy-backports the
packages will be accessible from the regular pool instead of a separate
one.
== For Users ==
What exactly does that mean for you? For users of wheezy, the
sources.list entry will be different, a simple substitute of squeeze
for wheezy won't work. The new format is:
deb http://ftp.debian.org/debian/ wheezy-backports main
So it is debian instead of debian-backports, and offered through the
regular mirror network. Feel invited to check your regular mirror if
it carries backports and pull from there.
For squeeze nothing changed.
deb http://backports.debian.org/debian-backports/ squeeze-backports(-sloppy) main
continues to work for the whole squeeze lifetime.
== For Contributers ==
Please read the mail to debian-devel-announce[5] instead. :)
Just one thing mentioned here: technically wheezy-backports and
squeeze-backports-sloppy have been opened with this move too. Only, the Buildd
Team needs some days to set up the buildd network for the new suites, so please
be a bit more patient.
== Thanks ==
Finally, we want to thank the FTP-Master Team for their fine work on
making this happen.
The documentation on backports-master[2] has been updated, and in
case of any doubt or question, feel free to ask them on either the
debian-backports mailinglist[3], or in case of sensitive topics ask
us[4] directly.
Jan Wagner uploaded new packages for icinga which fixed the following security problems:
CVE-2012-6096
CGI buffer overflows
https://security-tracker.debian.org/tracker/CVE-2012-6096
For the squeeze-backports distribution the problems have been fixed in
version 1.7.1-5~bpo60+1 of the icinga package.
For the testing distribution (wheezy) these problems will be fixed
soon.
For the unstable distribution (sid), these problems have been fixed in
version 1.7.1-5 of the icinga package.
Paul Wise uploaded new packages for freetype which fixed the following security problems:
CVE-2012-5668: NULL Pointer Dereference in bdf_free_font.
CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs.
CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs.
For the squeeze-backports distribution the problems have been fixed in
version 2.4.9-1.1~bpo60+1.
Rene Engelhard uploaded new packages for libreoffice which fixed the following security problems:
CVE-2012-1149
multiple heap-based buffer overflows in OpenOffice.orgs
XML manifest encryption tag parsing code
For the squeeze-backports distribution the problems have been fixed
in version 1:3.5.4-7~bpo60+1.
Rene Engelhard uploaded new packages for libreoffice which fixed the following security problem:
CVE-2012-1149
Integer overflows in PNG image handling
For the squeeze-backports distribution the problems have been fixed in
version 1:3.4.6-2~bpo60+2.
Micah Anderson uploaded new packages for strongswan which fixed the following security problems:
CVE-2012-2388
An authentication bypass issue was discovered by the Codenomicon
CROSS project in strongSwan, an IPsec-based VPN solution. When using
RSA-based setups, a missing check in the gmp plugin could allow an
attacker presenting a forged signature to successfully authenticate
against a strongSwan responder.
For the squeeze-backports distribution the problems have been fixed in
version 4.5.2-1.4~bpo60+1
Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the following security problems:
CVE-2011-2082
The vulnerable-passwords scripts introduced for CVE-2011-0009
failed to correct the password hashes of disabled users.
CVE-2011-2083
Several cross-site scripting issues have been discovered.
CVE-2011-2084
Password hashes could be disclosed by privileged users.
CVE-2011-2085
Several cross-site request forgery vulnerabilities have been
found. If this update breaks your setup, you can restore the old
behaviour by setting $RestrictReferrer to 0.
CVE-2011-4458
The code to support variable envelope return paths allowed the
execution of arbitrary code.
CVE-2011-4459
Disabled groups were not fully accounted as disabled.
CVE-2011-4460
SQL injection vulnerability, only exploitable by privileged users.
For the squeeze-backports distribution the problems have been fixed in
version 4.0.5-3~bpo60+1.
Cyril Lavier uploaded new packages for nginx which fixed the following security problems:
CVE-2012-2089 - nginx -- arbitrary code execution in mp4
pseudo-streaming module
A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.
This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.
For the squeeze-backports distribution the problems have been fixed in
version
1.1.19-1~bpo60+1
For wheezy (testing) and sid (unstable) this was fixed in version
1.1.19-1
Squeeze (stable) is not vulnerable to this security issue.
Christian Perrier uploaded new packages for samba which fixed the following security problem:
CVE-2012-1182
PIDL based autogenerated code allows overwriting beyond of allocated
array.
For the squeeze-backports distribution the problems have been fixed in
version 2:3.6.4-1~bpo60+1.
Following the normal Debian Archive lenny-backports is now discontinued. That means that no upload will be possible anymore and lenny-backports(-sloppy) get moved to archive.debian.org. If you haven't updated yet - now is the time to move to squeeze.
Some numbers about lenny-backports and lenny-backports-sloppy:
- Source packages: lenny-backports: 667 - sloppy: 21
- Uploads: lenny-backports: 1445 - sloppy: 51
- Contributors: lenny-backports: 146 - sloppy: 17
Without all those contributors lenny-backports wouldn't have been possible. Thank you very much for your support!