Introduction
You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
News
Now that buster was released we are pleased to announce the availability of buster-backports and stretch-backports-sloppy.
What to upload where
As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:
| Source Distribution | Backports Distribution | Sloppy Distribution |
|---|---|---|
| buster | stretch-backports | - |
| bullseye | buster-backports | stretch-backports-sloppy |
Backports and LTS
Please keep in mind that backports doesn't follow LTS. Which means that we will drop support for oldstable (stretch) around one year after the release of buster. Thats in sync with the - official - security support for oldstable
BSA Security Advisories
We plan to switch the security-announce mailinglist to keyring based authentication, which means that every DD and DM is able to publish its own BSA advisories. We will send out a seperate announcement after the switch happened - and of course update the documentation
Statistics
For packages backported from buster, so far we have 1624 different source packages in stretch-backports. Those 1624 source packages took 2821 uploads from 252 uploaders to become reality.
Thanks
Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.
Happy Backporting!
Alex and Rhonda - backports.debian.org ftpmasters
Bernhard Schmidt uploaded new packages for openvpn which fixed the
following security problems:
CVE-2017-7479
It was discovered that openvpn did not properly handle the
rollover of packet identifiers. This would allow an authenticated
remote attacker to cause a denial-of-service via application
crash.
CVE-2017-7508
Guido Vranken discovered that openvpn did not properly handle
specific malformed IPv6 packets. This would allow a remote
attacker to cause a denial-of-service via application crash.
CVE-2017-7520
Guido Vranken discovered that openvpn did not properly handle
clients connecting to an HTTP proxy with NTLMv2
authentication. This would allow a remote attacker to cause a
denial-of-service via application crash, or potentially leak
sensitive information like the user's proxy password.
CVE-2017-7521
Guido Vranken discovered that openvpn did not properly handle
some x509 extensions. This would allow a remote attacker to cause
a denial-of-service via application crash.
For the jessie-backports distribution the problems have been fixed in
version 2.4.0-6+deb9u1~bpo8+1.
Al Nikolov uploaded new package for salt which fixed the
following security problem:
CVE-2017-8109
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4
copied over configuration from the Salt Master without adjusting
permissions, which might leak credentials to local attackers on
configured minions (clients).
For the jessie-backports distribution the problems have been fixed in
version 2016.11.2+ds-1~bpo8+2.
With the release of stretch we are pleased to open the doors for stretch-backports and jessie-backports-sloppy. \o/
As usual with a new release we will change a few things for the backports service.
What to upload where
As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:
| Source Distribution | Backports Distribution | Sloppy Distribution |
|---|---|---|
| buster | stretch-backports | jessie-backports-sloppy |
| stretch | jessie-backports | - |
Deprecation of LTS support for backports
We started supporting backports as long as there is LTS support as an experiment. Unfortunately it didn't worked, most maintainers didn't wanted to support oldoldstable-backports (squeeze) for the lifetime of LTS. So things started to rot in squeeze and most packages didn't received updates. After long discussions we decided to deprecate LTS support for backports. From now on squeeze-backports(-sloppy) is closed and will not receive any updates. Expect it to get removed from the mirrors and moved to archive in the near future.
BSA handling
We - the backports team - didn't scale well in processing BSA requests. To get things better in the future we decided to change the process a little bit. If you upload a package which fixes security problems please fill out the BSA template and create a ticket in the rt tracker (see https://backports.debian.org/Contribute/#index3h2 for details).
Stretching the rules
From time to time its necessary to not follow the backports rules, like a package needs to be in testing or a version needs to be in Debian. If you think you have one of those cases, please talk to us on the list before upload the package.
Thanks
Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.
We wish you a happy stretch 
Alex, on behalf of the Backports Team
Thomas Goirand uploaded new packages for horizon which fixed the
following security problem:
CVE-2015-3988:
Sunil Yadav from IBM Security Services reported a persistent XSS in
Horizon. An authenticated user may conduct a persistent XSS attack by
setting a malicious metadata to a Glance image, a Nova flavor or a
Host Aggregate and tricking an administrator to load the update
metadata page. Once executed in a legitimate context this attack may
result in a privilege escalation.
For the jessie-backports distribution the problems have been fixed in
2015.1.0-2~bpo8+1.
Wouter Verhelst uploaded new packages for nbd which fixed the following
security problems:
CVE-2015-0847
Tuomas Räsänen discovered that nbd-server unsafe signal handling in
nbd-server, the server for the Network Block Device protocol, could
allow remote attackers to cause a deadlock in the server process and
thus a denial of service.
CVE-2013-7441
Tuomas Räsänen discovered that the modern-style negotiation was
carried out in the main process before forking the actual client
handler. This could allow a remote attacker to cause a denial of
service (crash) by querying a non-existent export.
For the squeeze-backports distribution,the problems have been fixed in
version 1:3.2-4~deb7u5~bpo60+1.
The wheezy-backports and jessie-backports suites do not contain nbd
packages, and therefore are not vulnerable (but see DSA-3271-1).
Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problem:
CVE-2015-1774:
It was discovered that missing input sanitising in Libreoffice's filter
for HWP documents may result in the execution of arbitrary code if a
malformed document is opened.
For the squeeze-backports distribution the problem has been fixed in
version 1:3.5.4+dfsg2-0deb7u4~bpo60+1.
For the wheezy-backports distribution the problem has been fixed in
version 1:4.3.3-2+deb8u1~bpo70+1.
Dear users of the backports service!
With the release of Jessie (coming up) we are pleased to open the doors
for jessie-backports and wheezy-backports-sloppy (mostly all
architectures are already buildable there, too). Whee!
But, PLEASE DO READ ON, there are some changes in the process that we
would like to do for the new upload pockets.
== What to upload where ==
As a reminder, uploads to a release-backports pocket are to be taken
from release + 1, uploads to a release-backports-sloppy pocket are to be
taken from release + 2. Which means:
Source Distribution | Backports Distribution | Sloppy Distribution
---------------------|------------------------|--------------------------
stretch | jessie-backports | wheezy-backports-sloppy
jessie | wheezy-backports | squeeze-backports-sloppy
== We drop -v switch hard requirement ==
We required uploads to contain the changelog entries since the former
version in stable in the changes file. This was quite convenient for
people reading the changes through the changes mailinglist but
especially also for the backports team when processing packages.
Given that the changelogs of former backports and the packages
backported are available through the packages.debian.org website
(amongst other sources) and that it was annoying to both backporters and
also us as backports team we are dropping it as hard requirement. It
would still be pretty awesome for the above mentioned reasons if you
could keep it as part of your workflow, especially for uploads that end
in the policy queue, but we won't reject packages based solely on that
nymore.
== Versioning ==
Previous we used ~bpo70+1 as suffix for the versions of uploads. We
were asked whether we might want to align that with the other suffixes
used and drop the zero from within there, and yes, we will drop it.
This means that uploads to jessie-backports should use ~bpo8+1 as
suffix, and also wheezy-backports-sloppy uses ~bpo7+1 as suffix.
For wheezy-backports please still use ~bpo70+1 version suffixes
because of sorting reasoning, especially if there are also
squeeze-backports-sloppy packages around. Which brings us to ...
== squeeze-backports* ==
As you are probably aware, squeeze is still a supported release through
LTS. The same goes for the squeeze-backports* suites, you can consider
them to be around for the same timeframe that LTS is going to be around.
== Statistics ==
For packages backported from jessie, so far we have 995 different
source packages in wheezy-backports, and 27 different source packages in
squeeze-backports-sloppy. Those 995 source packages took 1729 uploads
to become reality.
== Thanks ==
Thanks have to go out to all people making backports possible, and that
includes up front the backporters themself who do upload the packages,
track and update them on a regular basis, but also the buildd team
making the autobuilding possible and the ftp masters for creating the
suites in the first place.
Enjoy, and continue being awesome!
Rhonda, on behalf of the Backports Team
Matthew Vernon uploaded new packages for shibboleth-sp which fixed the
following security problems:
CVE-2015-2684
A denial of service vulnerability was found in the Shibboleth (a
federated identity framework) Service Provider. When processing
certain malformed SAML messages generated by an authenticated
attacker, the daemon could crash.
For the wheezy-backports distribution the problems have been fixed in
version 2.5.3+dfsg-2~bpo70+1.
Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the
following security problems:
CVE-2014-9472
Remote DoS via email gateway
CVE-2015-1165
Information discloure revealing RSS feed URLs
CVE-2015-1464
Privilege escalation via RSS feed URLs
For the wheezy-backports distribution the problems have been fixed in
version 4.0.19-1~bpo70+2.
The problems have been fixed in other distributions as follows:
* sid/jessie: 4.2.8-3
* wheezy: 4.0.7-5+deb7u3.
* squeeze-backports: 4.0.7-5+deb7u3~bpo60+1
* squeeze-lts: 3.8.8-7+squeeze9 (of request-tracker3.8)