You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
Andreas Metzler uploaded new packages for gnutls28 which fixed the following security problems: CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1 Suman Jana reported that GnuTLS, deviating from the documented behavior considers a version 1 intermediate certificate as a CA certificate by default. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in gnutls26/2.12.23-12 and gnutls28/3.2.11-1. For the stable distribution this problem has been fixed in gnutls26/2.12.20-8.
intrigeri uploaded new packages for pidgin which fixed the following security problems: CVE-2013-6477 Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future. CVE-2013-6478 Pidgin could be crashed through overly wide tooltip windows. CVE-2013-6479 Jacob Appelbaum discovered that a malicious server or a "man in the middle" could send a malformed HTTP header resulting in denial of service. CVE-2013-6481 Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages. CVE-2013-6482 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages. CVE-2013-6483 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages. CVE-2013-6484 It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash. CVE-2013-6485 Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses. CVE-2013-6487 Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages. CVE-2013-6489 Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons. CVE-2013-6490 Yves Younan discovered a buffer overflow when parsing SIMPLE headers. CVE-2014-0020 Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments. For the squeeze-backports distribution the problems have been fixed in version 2.10.9-1~bpo60+1. For the oldstable distribution (squeeze), no direct backport is provided. One should use the fixed package from squeeze-backports instead. For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1.
intrigeri uploaded new packages for nss which fixed the following security problems: CVE-2013-1739 (DSA-2790-1) A flaw was found in the way the Mozilla Network Security Service library (nss) read uninitialized data when there was a decryption failure. A remote attacker could use this flaw to cause a denial of service (application crash) for applications linked with the nss library. CVE-2013-5605 (DSA-2800-1) Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code. For the squeeze-backports distribution the problems have been fixed in version 2:3.14.5-1~bpo60+1. For the oldstable distribution (squeeze), the problems have been fixed in version 3.12.8-1+squeeze7. For the stable distribution (wheezy), the problems have been fixed in version 2:3.14.5-1. For the testing (jessie) and unstable (sid) distributions, the problems have been fixed in version 2:3.15.3-1.
intrigeri uploaded new packages for xorg-server which fixed the following security problem: CVE-2013-4396 Pedro Ribeiro discovered a use-after-free in the handling of ImageText requests in the Xorg Xserver, which could result in denial of service or privilege escalation. https://security-tracker.debian.org/tracker/CVE-2013-4396 http://www.debian.org/security/2013/dsa-2784 For the squeeze-backports distribution, this problem has been fixed in version 1.10.4-1~bpo60+2. For the oldstable distribution (squeeze), this problem has been fixed in version 1.7.7-17. For the stable distribution (wheezy), this problem has been fixed in version 1.12.4-6+deb7u1. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 1.14.3-4.
Wouter Verhelst uploaded new packages for nbd which fixed the following security problems: CVE-2013-6410 Incorrect parsing of the access control lists For the squeeze-backports distribution the problem has been fixed in version 1:3.2-4~deb7u4~bpo60+1 nbd is not present in any other backports repository.
Updated strongswan packages for squeeze-backports and wheezy-backports fix the following vulnerabilities: - CVE-2013-2944: When using the openssl plugin for ECDSA based authentication, an empty, zeroed or otherwise invalid signature is handled as a legitimate one. - CVE-2013-6075: DoS vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload. - CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1 fragmentation payloads. The squeeze-backports distribution was affected by CVE-2013-2944 and CVE-2013-6075. These problems have been fixed in version 4.5.2-1.5+deb7u2~bpo60+1. The wheezy-backports distribution was affected by CVE-2013-6075 and CVE-2013-6076. These problems have been fixed in version 5.1.0-3~bpo70+1.
Colin Watson uploaded new packages for openssh which fixed the following security problems: CVE-2013-4548 A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (firstname.lastname@example.org or email@example.com) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. https://security-tracker.debian.org/tracker/CVE-2013-4548 For the wheezy-backports distribution, this problem has been fixed in version 1:6.4p1-1~bpo70+1. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 1:6.4p1-1. Other distributions are not vulnerable.
Package : roundcube Vulnerability : design error Problem type : remote Debian-specific: no CVE ID : CVE-2013-6172 Debian Bug : 727668 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution. roundcube in the oldstable distribution (squeeze) is not affected by this problem. For backports for the oldstable distribution (squeeze-backports-sloppy), this problem has been fixed in 0.9.5-1~bpo60+1. For the stable distribution (wheezy), this problem has been fixed in version 0.7.2-9+deb7u1. For backports for the stable distribution (wheezy-backports), this problem has been fixed in 0.9.5-1~bpo70+1. For the unstable distribution (sid), this problem has been fixed in version 0.9.4-1.1. We recommend that you upgrade your roundcube packages.
Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the following security problems: CVE-2012-4733 A user with the ModifyTicket right can bypass the DeleteTicket right or any custom lifecycle transition rights and thus modify ticket data without authorization. CVE-2013-3368 The rt command line tool uses semi-predictable temporary files. A malicious user can use this flaw to overwrite files with permissions of the user running the rt command line tool. CVE-2013-3369 A malicious user who is allowed to see administration pages can run arbitrary mason components (without control of arguments), which may have negative side-effects. CVE-2013-3370 Request Tracker allows direct requests to private callback components, which could be used to exploit a Request Tracker extension or a local callback which uses the arguments passed to it insecurely. CVE-2013-3371 Request Tracker is vulnerable to cross-site scripting attacks via attachment filenames. CVE-2013-3372 Dominic Hargreaves discovered that Request Tracker is vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. CVE-2013-3373 Request Tracker is vulnerable to a MIME header injection in outgoing email generated by Request Tracker. Request Tracker stock templates are resolved by this update. But any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. CVE-2013-3374 Request Tracker is vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. However Request Tracker's default session configuration only uses Apache::Session::File when configured for Oracle databases. This version of Request Tracker includes a database content upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically. Otherwise see the explanation in /usr/share/doc/request-tracker4/NEWS.Debian.gz for the manual steps to perform. Please note that if you run request-tracker4 under the Apache web server, you must stop and start Apache manually. The "restart" mechanism is not recommended, especially when using mod_perl or any form of persistent perl process such as FastCGI or SpeedyCGI. For the squeeze-backports distribution the problems have been fixed in version 4.0.7-5+deb7u2~bpo60+1.