Bernhard Schmidt uploaded new packages for openvpn which fixed the
following security problems:

CVE-2017-7479

    It was discovered that openvpn did not properly handle the
    rollover of packet identifiers. This would allow an authenticated
    remote attacker to cause a denial-of-service via application
    crash.

CVE-2017-7508

    Guido Vranken discovered that openvpn did not properly handle
    specific malformed IPv6 packets. This would allow a remote
    attacker to cause a denial-of-service via application crash.

CVE-2017-7520

    Guido Vranken discovered that openvpn did not properly handle
    clients connecting to an HTTP proxy with NTLMv2
    authentication. This would allow a remote attacker to cause a
    denial-of-service via application crash, or potentially leak
    sensitive information like the user's proxy password.

CVE-2017-7521

    Guido Vranken discovered that openvpn did not properly handle
    some x509 extensions. This would allow a remote attacker to cause
    a denial-of-service via application crash.

For the jessie-backports distribution the problems have been fixed in
version 2.4.0-6+deb9u1~bpo8+1.

Al Nikolov uploaded new package for salt which fixed the
following security problem:

CVE-2017-8109
    The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4
    copied over configuration from the Salt Master without adjusting
    permissions, which might leak credentials to local attackers on
    configured minions (clients).

For the jessie-backports distribution the problems have been fixed in
version 2016.11.2+ds-1~bpo8+2.

With the release of stretch we are pleased to open the doors for stretch-backports and jessie-backports-sloppy. \o/

As usual with a new release we will change a few things for the backports service.

What to upload where

As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:

Deprecation of LTS support for backports

We started supporting backports as long as there is LTS support as an experiment. Unfortunately it didn't worked, most maintainers didn't wanted to support oldoldstable-backports (squeeze) for the lifetime of LTS. So things started to rot in squeeze and most packages didn't received updates. After long discussions we decided to deprecate LTS support for backports. From now on squeeze-backports(-sloppy) is closed and will not receive any updates. Expect it to get removed from the mirrors and moved to archive in the near future.

BSA handling

We - the backports team - didn't scale well in processing BSA requests. To get things better in the future we decided to change the process a little bit. If you upload a package which fixes security problems please fill out the BSA template and create a ticket in the rt tracker (see https://backports.debian.org/Contribute/#index3h2 for details).

Stretching the rules

From time to time its necessary to not follow the backports rules, like a package needs to be in testing or a version needs to be in Debian. If you think you have one of those cases, please talk to us on the list before upload the package.

Thanks

Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.

We wish you a happy stretch Alex, on behalf of the Backports Team

Henrique de Moraes Holschuh uploaded new packages for iucode-tool which
fixed the following security problems:

CVE-2017-0357
  iucode-tool v1.4 to v2.1 is vulnerable to a heap buffer overflow in
  the -tr (recovery) loader.  Using specially-crafted data files and a
  specially crafted command line, it might be possible to leverage this
  heap buffer overflow to cause heap corruption, which might allow an
  attacker to run arbitrary code.

For the jessie-backports distribution the problem has been fixed in
version 2.1.1-1~bpo8+1.

For the wheezy-backports distribution, no fix is necessary.

For users building directly from the git repository, all
debian/release/* branches have been updated with fixed versions where
necessary.

Craig Small <csmall@debian.org> uploaded new packages for wordpress
which fixed the following security problems:

CVE-2016-10066, CVE-2016-10045
  Potential Remote Command Execution (RCE) in PHPMailer
CVE-2017-5488
  Authenticated Cross-Site scripting (XSS) in update-core.php
CVE-2017-5490
  Stored Cross-Site Scripting (XSS) via Theme Name fallback
CVE-2017-5491
  Post via Email Checks mail.example.com by Default
CVE-2017-5492
  Accessibility Mode Cross-Site Request Forgery (CSRF)
CVE-2017-5493
  Cryptographically Weak Pseudo-Random Number Generator
CVE-2017-5487
  User Information Disclosure via REST API - API doesn't exist
CVE-2017-5489
  Cross-Site Request Forgery (CSRF) via Flash Upload

For the jessie-backports distribution the problems have been fixed in
version 4.7.1+dfsg-1~bpo8+1

Harlan Lieberman-Berg uploaded new packages for ansible which fixed the
following security problems:

CVE-2016-3096
  Predictable filenames could allow an attacker to a user to execute
  arbitrary commands as root inside an lxc_container managed container.

For the jessie-backports distribution, the problem has been fixed in
version 2.0.2.0-1~bpo8+1

Ryan Tandy uploaded new packages for openldap which fixed the
following security problems:

CVE-2015-6908
  Denis Andzakovic discovered that OpenLDAP, a free implementation of the
  Lightweight Directory Access Protocol, does not properly handle BER data.
  An unauthenticated remote attacker can use this flaw to cause a denial of
  service (slapd daemon crash) via a specially crafted packet.

For the wheezy-backports distribution the problems have been fixed in
version 2.4.31+really2.4.40+dfsg-1+deb8u1~bpo70+1.

The jessie-backports suite does not contain openldap packages, while for
Debian stable suites the issue has been fixed by DSA-3356-1 (jessie and
wheezy) and DLA-309-1 (squeeze).

Christian Seiler prepared new packages for lxc which fixed the following
security problems:

CVE-2015-1331
  Roman Fiedler discovered a directory traversal flaw in LXC when
  creating lock files. A local attacker could exploit this flaw to
  create an arbitrary file as the root user.

CVE-2015-1334
  Roman Fiedler discovered that LXC incorrectly trusted the container's
  proc filesystem to set up AppArmor profile changes and SELinux domain
  transitions. A malicious container could create a fake proc
  filesystem and use this flaw to run programs inside the container
  that are not confined by AppArmor or SELinux.

For the wheezy-backports distribution the problems have been fixed in
version 1.0.6-6+deb8u1~bpo70+1.

Christian Hofstaedtler uploaded new packages for pdns and
pdns-server which fixed the following security problem:

CVE-2015-1868: The label decompression functionality in PowerDNS
Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and
Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x
before 3.4.4 allows remote attackers to cause a denial of service
(CPU consumption or crash) via a request with a name that refers to
itself.

For the wheezy-backports distribution the problems have been fixed
in pdns version 3.4.1-4+deb8u1~bpo70+1, and in pdns-recursor
version 3.6.2-2+deb8u1~bpo70+1.

Thomas Goirand uploaded new packages for horizon which fixed the
following security problem:

CVE-2015-3988:
  Sunil Yadav from IBM Security Services reported a persistent XSS in
  Horizon. An authenticated user may conduct a persistent XSS attack by
  setting a malicious metadata to a Glance image, a Nova flavor or a
  Host Aggregate and tricking an administrator to load the update
  metadata page. Once executed in a legitimate context this attack may
  result in a privilege escalation.

For the jessie-backports distribution the problems have been fixed in
2015.1.0-2~bpo8+1.