You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
Henrique de Moraes Holschuh uploaded new packages for iucode-tool which fixed the following security problems: CVE-2017-0357 iucode-tool v1.4 to v2.1 is vulnerable to a heap buffer overflow in the -tr (recovery) loader. Using specially-crafted data files and a specially crafted command line, it might be possible to leverage this heap buffer overflow to cause heap corruption, which might allow an attacker to run arbitrary code. For the jessie-backports distribution the problem has been fixed in version 2.1.1-1~bpo8+1. For the wheezy-backports distribution, no fix is necessary. For users building directly from the git repository, all debian/release/* branches have been updated with fixed versions where necessary.
Craig Small <firstname.lastname@example.org> uploaded new packages for wordpress which fixed the following security problems: CVE-2016-10066, CVE-2016-10045 Potential Remote Command Execution (RCE) in PHPMailer CVE-2017-5488 Authenticated Cross-Site scripting (XSS) in update-core.php CVE-2017-5490 Stored Cross-Site Scripting (XSS) via Theme Name fallback CVE-2017-5491 Post via Email Checks mail.example.com by Default CVE-2017-5492 Accessibility Mode Cross-Site Request Forgery (CSRF) CVE-2017-5493 Cryptographically Weak Pseudo-Random Number Generator CVE-2017-5487 User Information Disclosure via REST API - API doesn't exist CVE-2017-5489 Cross-Site Request Forgery (CSRF) via Flash Upload For the jessie-backports distribution the problems have been fixed in version 4.7.1+dfsg-1~bpo8+1
Harlan Lieberman-Berg uploaded new packages for ansible which fixed the following security problems: CVE-2016-3096 Predictable filenames could allow an attacker to a user to execute arbitrary commands as root inside an lxc_container managed container. For the jessie-backports distribution, the problem has been fixed in version 184.108.40.206-1~bpo8+1
Ryan Tandy uploaded new packages for openldap which fixed the following security problems: CVE-2015-6908 Denis Andzakovic discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, does not properly handle BER data. An unauthenticated remote attacker can use this flaw to cause a denial of service (slapd daemon crash) via a specially crafted packet. For the wheezy-backports distribution the problems have been fixed in version 2.4.31+really2.4.40+dfsg-1+deb8u1~bpo70+1. The jessie-backports suite does not contain openldap packages, while for Debian stable suites the issue has been fixed by DSA-3356-1 (jessie and wheezy) and DLA-309-1 (squeeze).
Christian Seiler prepared new packages for lxc which fixed the following security problems: CVE-2015-1331 Roman Fiedler discovered a directory traversal flaw in LXC when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user. CVE-2015-1334 Roman Fiedler discovered that LXC incorrectly trusted the container's proc filesystem to set up AppArmor profile changes and SELinux domain transitions. A malicious container could create a fake proc filesystem and use this flaw to run programs inside the container that are not confined by AppArmor or SELinux. For the wheezy-backports distribution the problems have been fixed in version 1.0.6-6+deb8u1~bpo70+1.
Christian Hofstaedtler uploaded new packages for pdns and pdns-server which fixed the following security problem: CVE-2015-1868: The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself. For the wheezy-backports distribution the problems have been fixed in pdns version 3.4.1-4+deb8u1~bpo70+1, and in pdns-recursor version 3.6.2-2+deb8u1~bpo70+1.
Thomas Goirand uploaded new packages for horizon which fixed the following security problem: CVE-2015-3988: Sunil Yadav from IBM Security Services reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting a malicious metadata to a Glance image, a Nova flavor or a Host Aggregate and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. For the jessie-backports distribution the problems have been fixed in 2015.1.0-2~bpo8+1.
Wouter Verhelst uploaded new packages for nbd which fixed the following security problems: CVE-2015-0847 Tuomas Räsänen discovered that nbd-server unsafe signal handling in nbd-server, the server for the Network Block Device protocol, could allow remote attackers to cause a deadlock in the server process and thus a denial of service. CVE-2013-7441 Tuomas Räsänen discovered that the modern-style negotiation was carried out in the main process before forking the actual client handler. This could allow a remote attacker to cause a denial of service (crash) by querying a non-existent export. For the squeeze-backports distribution,the problems have been fixed in version 1:3.2-4~deb7u5~bpo60+1. The wheezy-backports and jessie-backports suites do not contain nbd packages, and therefore are not vulnerable (but see DSA-3271-1).
Rene Engelhard uploaded new packages for libreoffice which fixed the following security problem: CVE-2015-1774: It was discovered that missing input sanitising in Libreoffice's filter for HWP documents may result in the execution of arbitrary code if a malformed document is opened. For the squeeze-backports distribution the problem has been fixed in version 1:3.5.4+dfsg2-0deb7u4~bpo60+1. For the wheezy-backports distribution the problem has been fixed in version 1:4.3.3-2+deb8u1~bpo70+1.
Dear users of the backports service! With the release of Jessie (coming up) we are pleased to open the doors for jessie-backports and wheezy-backports-sloppy (mostly all architectures are already buildable there, too). Whee! But, PLEASE DO READ ON, there are some changes in the process that we would like to do for the new upload pockets. == What to upload where == As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means: Source Distribution | Backports Distribution | Sloppy Distribution ---------------------|------------------------|-------------------------- stretch | jessie-backports | wheezy-backports-sloppy jessie | wheezy-backports | squeeze-backports-sloppy == We drop -v switch hard requirement == We required uploads to contain the changelog entries since the former version in stable in the changes file. This was quite convenient for people reading the changes through the changes mailinglist but especially also for the backports team when processing packages. Given that the changelogs of former backports and the packages backported are available through the packages.debian.org website (amongst other sources) and that it was annoying to both backporters and also us as backports team we are dropping it as hard requirement. It would still be pretty awesome for the above mentioned reasons if you could keep it as part of your workflow, especially for uploads that end in the policy queue, but we won't reject packages based solely on that nymore. == Versioning == Previous we used ~bpo70+1 as suffix for the versions of uploads. We were asked whether we might want to align that with the other suffixes used and drop the zero from within there, and yes, we will drop it. This means that uploads to jessie-backports should use ~bpo8+1 as suffix, and also wheezy-backports-sloppy uses ~bpo7+1 as suffix. For wheezy-backports please still use ~bpo70+1 version suffixes because of sorting reasoning, especially if there are also squeeze-backports-sloppy packages around. Which brings us to ... == squeeze-backports* == As you are probably aware, squeeze is still a supported release through LTS. The same goes for the squeeze-backports* suites, you can consider them to be around for the same timeframe that LTS is going to be around. == Statistics == For packages backported from jessie, so far we have 995 different source packages in wheezy-backports, and 27 different source packages in squeeze-backports-sloppy. Those 995 source packages took 1729 uploads to become reality. == Thanks == Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place. Enjoy, and continue being awesome! Rhonda, on behalf of the Backports Team