Pierre Gruet uploaded new packages for xerial-sqlite-jdbc which fixed
the following security problem:

CVE-2023-32697

    It was discovered that xerial-sqlite-jdbc had a remote code
    execution vulnerability via JDBC URL, which was caused by
    a predictable UUID choice.

For the bullseye-backports distribution the problem has been fixed in
version 3.36.0.3+dfsg1-3~bpo11+2.

bullseye-backports and buster-backports-sloppy started

From now on you can upload packages to those two distributions. Please ensure to follow the rules of those distributions (yes, that means you can't upload packages to bullseye-backports now that are not in testing ;))

stretch-backports discontinued

Following the rules oldstable backports was discontinued some time ago, but we never announced that offically. Please do not upload anything to oldstable backports.

security uploads

Announcing security updates didn't worked well in the past. We therefore decided to change the mechanism security announcements work. Every Debian contributor (DM/DD) can now send a signed mail to the debian-backports-announce mailinglist. Please follow the template when doing so. The contribution document also shows how to reserve a BSA by doing a merge request to the website.

new backports maintainers

I am happy to announce that Thorsten Glaser (tg) and Micha Lenk (micha) will join us a backports ftpmasters. They are not yet onboarded, but that will happen soon. Please give them a warm welcome.

updates for the website

If you have something to contribute for our webseite, feel free to create an issue or (even better) create a merge request against https://salsa.debian.org/backports-team/backports-website

Thanks

Alex - backports ftpmaster

[1] https://backports.debian.org/Contribute/ [2] https://backports.debian.org/Instructions/ [3] https://backports.debian.org/Contribute/#index4h2

Now that buster was released we are pleased to announce the availability of buster-backports and stretch-backports-sloppy.

What to upload where

As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:

Backports and LTS

Please keep in mind that backports doesn't follow LTS. Which means that we will drop support for oldstable (stretch) around one year after the release of buster. Thats in sync with the - official - security support for oldstable

BSA Security Advisories

We plan to switch the security-announce mailinglist to keyring based authentication, which means that every DD and DM is able to publish its own BSA advisories. We will send out a seperate announcement after the switch happened - and of course update the documentation

Statistics

For packages backported from buster, so far we have 1624 different source packages in stretch-backports. Those 1624 source packages took 2821 uploads from 252 uploaders to become reality.

Thanks

Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.

Happy Backporting!

Alex and Rhonda - backports.debian.org ftpmasters

Philippe Coval uploaded new packages for mosquitto which fixed the
following security problems:

CVE-2021-34434

    In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.

For the bookworm-backports distribution the problems have been fixed in
version 2.0.15-2~bpo12+1.

Bernhard Schmidt uploaded new packages for openvpn which fixed the
following security problems:

CVE-2017-7479

    It was discovered that openvpn did not properly handle the
    rollover of packet identifiers. This would allow an authenticated
    remote attacker to cause a denial-of-service via application
    crash.

CVE-2017-7508

    Guido Vranken discovered that openvpn did not properly handle
    specific malformed IPv6 packets. This would allow a remote
    attacker to cause a denial-of-service via application crash.

CVE-2017-7520

    Guido Vranken discovered that openvpn did not properly handle
    clients connecting to an HTTP proxy with NTLMv2
    authentication. This would allow a remote attacker to cause a
    denial-of-service via application crash, or potentially leak
    sensitive information like the user's proxy password.

CVE-2017-7521

    Guido Vranken discovered that openvpn did not properly handle
    some x509 extensions. This would allow a remote attacker to cause
    a denial-of-service via application crash.

For the jessie-backports distribution the problems have been fixed in
version 2.4.0-6+deb9u1~bpo8+1.

Al Nikolov uploaded new package for salt which fixed the
following security problem:

CVE-2017-8109
    The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4
    copied over configuration from the Salt Master without adjusting
    permissions, which might leak credentials to local attackers on
    configured minions (clients).

For the jessie-backports distribution the problems have been fixed in
version 2016.11.2+ds-1~bpo8+2.

With the release of stretch we are pleased to open the doors for stretch-backports and jessie-backports-sloppy. \o/

As usual with a new release we will change a few things for the backports service.

What to upload where

As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:

Deprecation of LTS support for backports

We started supporting backports as long as there is LTS support as an experiment. Unfortunately it didn't worked, most maintainers didn't wanted to support oldoldstable-backports (squeeze) for the lifetime of LTS. So things started to rot in squeeze and most packages didn't received updates. After long discussions we decided to deprecate LTS support for backports. From now on squeeze-backports(-sloppy) is closed and will not receive any updates. Expect it to get removed from the mirrors and moved to archive in the near future.

BSA handling

We - the backports team - didn't scale well in processing BSA requests. To get things better in the future we decided to change the process a little bit. If you upload a package which fixes security problems please fill out the BSA template and create a ticket in the rt tracker (see https://backports.debian.org/Contribute/#index3h2 for details).

Stretching the rules

From time to time its necessary to not follow the backports rules, like a package needs to be in testing or a version needs to be in Debian. If you think you have one of those cases, please talk to us on the list before upload the package.

Thanks

Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.

We wish you a happy stretch Alex, on behalf of the Backports Team

Thomas Goirand uploaded new packages for horizon which fixed the
following security problem:

CVE-2015-3988:
  Sunil Yadav from IBM Security Services reported a persistent XSS in
  Horizon. An authenticated user may conduct a persistent XSS attack by
  setting a malicious metadata to a Glance image, a Nova flavor or a
  Host Aggregate and tricking an administrator to load the update
  metadata page. Once executed in a legitimate context this attack may
  result in a privilege escalation.

For the jessie-backports distribution the problems have been fixed in
2015.1.0-2~bpo8+1.

Wouter Verhelst uploaded new packages for nbd which fixed the following
security problems:

CVE-2015-0847
  Tuomas Räsänen discovered that nbd-server unsafe signal handling in
  nbd-server, the server for the Network Block Device protocol, could
  allow remote attackers to cause a deadlock in the server process and
  thus a denial of service.

CVE-2013-7441
  Tuomas Räsänen discovered that the modern-style negotiation was
  carried out in the main process before forking the actual client
  handler. This could allow a remote attacker to cause a denial of
  service (crash) by querying a non-existent export.

For the squeeze-backports distribution,the problems have been fixed in
version 1:3.2-4~deb7u5~bpo60+1.

The wheezy-backports and jessie-backports suites do not contain nbd
packages, and therefore are not vulnerable (but see DSA-3271-1).

Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problem:

CVE-2015-1774:
   It was discovered that missing input sanitising in Libreoffice's filter
   for HWP documents may result in the execution of arbitrary code if a
   malformed document is opened.

For the squeeze-backports distribution the problem has been fixed in
version 1:3.5.4+dfsg2-0deb7u4~bpo60+1.

For the wheezy-backports distribution the problem has been fixed in
version 1:4.3.3-2+deb8u1~bpo70+1.