Introduction

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.

Where to start

News

Rene Engelhard uploaded new packages for libreoffice which fixed the following
security problems:

CVE-2014-0247
  It was discovered that LibreOffice unconditionally executed certain VBA
  macros, contrary to user expectations.

  https://security-tracker.debian.org/tracker/CVE-2014-0247

The stable distribution (wheezy) is not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:4.2.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 1:4.2.5-1~bpo70+1.
Posted Tue Jun 24 16:13:20 2014
Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2014-2532 (DSA-2894-1)
  Jann Horn discovered that OpenSSH incorrectly handled wildcards in
  AcceptEnv lines.  A remote attacker could use this issue to trick
  OpenSSH into accepting any environment variable that contains the
  characters before the wildcard character.

  https://security-tracker.debian.org/tracker/CVE-2014-2532

CVE-2014-2653 (DSA-2894-1)
  Matthew Vernon reported that if a SSH server offers a HostCertificate
  that the ssh client doesn't accept, then the client doesn't check the
  DNS for SSHFP records.  As a consequence a malicious server can
  disable SSHFP-checking by presenting a certificate.

  Note that a host verification prompt is still displayed before
  connecting.

  https://security-tracker.debian.org/tracker/CVE-2014-2653

For the wheezy-backports distribution, these problems have been fixed in
version 1:6.6p1-4~bpo70+1.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1:5.5p1-6+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 1:6.0p1-4+deb7u1.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:6.6p1-1.
Posted Wed Apr 30 10:16:12 2014
Evgeni Golov uploaded new packages for mutt which fixed the
following security problems:

CVE-2014-0467 / DSA-2874-1
  Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the
  mutt mailreader. Malformed RFC2047 header lines could result in denial
  of service or potentially the execution of arbitrary code.

For the squeeze-backports distribution the problems have been fixed in
version 1.5.21-6.2+deb7u2~bpo60+1.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.5.20-9+squeeze3.

For the stable distribution (wheezy), this problem has been fixed in
version 1.5.21-6.2+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 1.5.22-2.

We recommend that you upgrade your mutt packages.
Posted Sat Mar 15 13:00:10 2014
Andreas Metzler  uploaded new packages for gnutls28 which fixed the
following security problems:

CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1
  Suman Jana reported that GnuTLS, deviating from the documented
  behavior considers a version 1 intermediate certificate as a CA
  certificate by default.

For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in gnutls26/2.12.23-12 and
gnutls28/3.2.11-1.

For the stable distribution this problem has been fixed in
gnutls26/2.12.20-8.
Posted Sat Feb 22 14:11:49 2014
intrigeri uploaded new packages for pidgin which fixed the following security
problems:

CVE-2013-6477
  Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by
  sending a message with a timestamp in the distant future.

CVE-2013-6478
  Pidgin could be crashed through overly wide tooltip windows.

CVE-2013-6479
  Jacob Appelbaum discovered that a malicious server or a "man in the middle"
  could send a malformed HTTP header resulting in denial of service.

CVE-2013-6481
  Daniel Atallah discovered that Pidgin could be crashed through malformed
  Yahoo! P2P messages.

CVE-2013-6482
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed MSN messages.

CVE-2013-6483
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed XMPP messages.

CVE-2013-6484
  It was discovered that incorrect error handling when reading the response from
  a STUN server could result in a crash.

CVE-2013-6485
  Matt Jones discovered a buffer overflow in the parsing of malformed
  HTTP responses.

CVE-2013-6487
  Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
  Gadu-Gadu messages.

CVE-2013-6489
  Yves Younan and Pawel Janic discovered an integer overflow when parsing
  MXit emoticons.

CVE-2013-6490
  Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

CVE-2014-0020
  Daniel Atallah discovered that Pidgin could be crashed via malformed
  IRC arguments.

For the squeeze-backports distribution the problems have been fixed in version
2.10.9-1~bpo60+1.

For the oldstable distribution (squeeze), no direct backport is provided.
One should use the fixed package from squeeze-backports instead.

For the stable distribution (wheezy), these problems have been fixed in version
2.10.9-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in version
2.10.9-1.
Posted Sat Feb 15 10:31:23 2014
intrigeri uploaded new packages for nss which fixed the
following security problems:

CVE-2013-1739 (DSA-2790-1)
  A flaw was found in the way the Mozilla Network Security Service library (nss)
  read uninitialized data when there was a decryption failure. A remote attacker
  could use this flaw to cause a denial of service (application crash) for
  applications linked with the nss library.

CVE-2013-5605 (DSA-2800-1)
  Andrew Tinits reported a potentially exploitable buffer overflow in the
  Mozilla Network Security Service library (nss). With a specially crafted
  request a remote attacker could cause a denial of service or possibly execute
  arbitrary code.

For the squeeze-backports distribution the problems have been fixed in
version 2:3.14.5-1~bpo60+1.

For the oldstable distribution (squeeze), the problems have been fixed in
version 3.12.8-1+squeeze7.

For the stable distribution (wheezy), the problems have been fixed in version
2:3.14.5-1.

For the testing (jessie) and unstable (sid) distributions, the problems have
been fixed in version 2:3.15.3-1.
Posted Sun Feb 9 13:55:55 2014
intrigeri uploaded new packages for xorg-server which fixed the
following security problem:

CVE-2013-4396
  Pedro Ribeiro discovered a use-after-free in the handling of
  ImageText requests in the Xorg Xserver, which could result in denial
  of service or privilege escalation.

  https://security-tracker.debian.org/tracker/CVE-2013-4396
  http://www.debian.org/security/2013/dsa-2784

For the squeeze-backports distribution, this problem has been fixed in
version 1.10.4-1~bpo60+2.

For the oldstable distribution (squeeze), this problem has been fixed
in version 1.7.7-17.

For the stable distribution (wheezy), this problem has been fixed in
version 1.12.4-6+deb7u1.

For the testing (jessie) and unstable (sid) distributions, this
problem has been fixed in version 1.14.3-4.
Posted Sun Dec 15 11:53:55 2013
Dominic Hargreaves uploaded new packages for python-django which fixed the
following security problems:

CVE-2013-6044

Nick Brunn reported a possible cross-site scripting vulnerability in
python-django, a high-level Python web development framework.

The is_safe_url utility function used to validate that a used URL is on
the current host to avoid potentially dangerous redirects from
maliciously-constructed querystrings, worked as intended for HTTP and
HTTPS URLs, but permitted redirects to other schemes, such as
javascript:.

The is_safe_url function has been modified to properly recognize and
reject URLs which specify a scheme other than HTTP or HTTPS, to prevent
cross-site scripting attacks through redirecting to other schemes.

CVE-2013-4315

Rainer Koirikivi discovered a directory traversal vulnerability with
'ssi' template tags in python-django, a high-level Python web
development framework.

It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting,
used to represent allowed prefixes for the {% ssi %} template tag, is
vulnerable to a directory traversal attack, by specifying a file path
which begins as the absolute path of a directory in
'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free.

To exploit this vulnerability an attacker must be in a position to alter
templates on the site, or the site to be attacked must have one or more
templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag.

CVE-2013-1443

It was discovered that python-django, a high-level Python web
develompent framework, is prone to a denial of service vulnerability
via large passwords.

A non-authenticated remote attacker could mount a denial of service by
submitting arbitrarily large passwords, tying up server resources in
the expensive computation of the corresponding hashes to verify the
password.

For the squeeze-backports distribution the problems have been fixed in
version 1.4.5-1+deb7u4~bpo60+1.
Posted Mon Dec 9 20:55:11 2013
Wouter Verhelst uploaded new packages for nbd which fixed the
following security problems:

CVE-2013-6410
  Incorrect parsing of the access control lists

For the squeeze-backports distribution the problem has been fixed in
version 1:3.2-4~deb7u4~bpo60+1

nbd is not present in any other backports repository.
Posted Wed Dec 4 15:57:10 2013
Updated strongswan packages for squeeze-backports and wheezy-backports
fix the following vulnerabilities:

- CVE-2013-2944: When using the openssl plugin for ECDSA based
  authentication, an empty, zeroed or otherwise invalid signature is
  handled as a legitimate one.

- CVE-2013-6075: DoS vulnerability and potential authorization bypass
  triggered by a crafted ID_DER_ASN1_DN ID payload.

- CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1
  fragmentation payloads.

The squeeze-backports distribution was affected by CVE-2013-2944 and
CVE-2013-6075. These problems have been fixed in version
4.5.2-1.5+deb7u2~bpo60+1.

The wheezy-backports distribution was affected by CVE-2013-6075 and
CVE-2013-6076. These problems have been fixed in version
5.1.0-3~bpo70+1.
Posted Tue Nov 12 22:20:01 2013