Debian Stretch Openstack images changelog

9.12.3-20200608


Updates in 2 source package(s), 6 binary package(s):

  Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64  
  bind9 (1:9.10.3.dfsg.P4-12.3+deb9u6) stretch-security; urgency=medium
  
    * [CVE-2020-8616]: Fix NXNSATTACK amplification attack on BIND 9
    * [CVE-2020-8617]: Fix assertion failure in TSIG processing code

  Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates:arm64  
  ca-certificates (20200601~deb9u1) stretch; urgency=medium
  
    * Rebuild for stretch.
    * Merge changes from 20200601
      - d/control
    * This release updates the Mozilla CA bundle to 2.40, blacklists
      distrusted Symantec roots, and blacklists expired "AddTrust External
      Root". Closes: #956411, #955038, #911289, #961907
    * Fix permissions on /usr/local/share/ca-certificates when using symlinks.
      Closes: #916833
    * Remove email-only roots from mozilla trust store. Closes: #721976
  
  ca-certificates (20200601) unstable; urgency=medium
  
    * debian/control:
      Set Standards-Version: 4.5.0.2
      Set Build-Depends: debhelper-compat (= 13)
    * debian/copyright:
      Replace tabs in license text
    * mozilla/{certdata.txt,nssckbi.h}:
      Update Mozilla certificate authority bundle to version 2.40.
      Closes: #956411, #955038
    * mozilla/blacklist.txt
      Add distrusted Symantec CA list to blacklist for explicit removal.
      Closes: #911289
      Blacklist expired root certificate, "AddTrust External Root"
      Closes: #961907
      The following certificate authorities were added (+):
      + "Certigna Root CA"
      + "emSign ECC Root CA - C3"
      + "emSign ECC Root CA - G3"
      + "emSign Root CA - C1"
      + "emSign Root CA - G1"
      + "Entrust Root Certification Authority - G4"
      + "GTS Root R1"
      + "GTS Root R2"
      + "GTS Root R3"
      + "GTS Root R4"
      + "Hongkong Post Root CA 3"
      + "UCA Extended Validation Root"
      + "UCA Global G2 Root"
      The following certificate authorities were removed (-):
      - "AddTrust External Root"
      - "Certinomis - Root CA"
      - "Certplus Class 2 Primary CA"
      - "Deutsche Telekom Root CA 2"
      - "GeoTrust Global CA"
      - "GeoTrust Primary Certification Authority"
      - "GeoTrust Primary Certification Authority - G2"
      - "GeoTrust Primary Certification Authority - G3"
      - "GeoTrust Universal CA"
      - "thawte Primary Root CA"
      - "thawte Primary Root CA - G2"
      - "thawte Primary Root CA - G3"
      - "VeriSign Class 3 Public Primary Certification Authority - G4"
      - "VeriSign Class 3 Public Primary Certification Authority - G5"
      - "VeriSign Universal Root Certification Authority"
  
  ca-certificates (20190110) unstable; urgency=high
  
    * debian/control:
      Depend on openssl (>= 1.1.1).
      Set Standards-Version: 4.3.0.1.
      Set Build-Depends: debhelper-compat (= 12); drop d/compat
      Remove trailing whitespace from d/changelog.
    * debian/ca-certificates.postinst:
      Fix permissions on /usr/local/share/ca-certificates when using symlinks.
      Closes: #916833
    * sbin/update-ca-certificates:
      Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl
      rehash` from exiting with an error. Closes: #895482, #895473
      This will also fix removal of user CA certificates from /usr/local without
      needing to run --fresh. Closes: #911303
    * mozilla/{certdata.txt,nssckbi.h}:
      Update Mozilla certificate authority bundle to version 2.28.
      The following certificate authorities were added (+):
      + "GlobalSign Root CA - R6"
      + "OISTE WISeKey Global Root GC CA"
      The following certificate authorities were removed (-):
      - "Certplus Root CA G1"
      - "Certplus Root CA G2"
      - "OpenTrust Root CA G1"
      - "OpenTrust Root CA G2"
      - "OpenTrust Root CA G3"
      - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
      - "Visa eCommerce Root"
  
  ca-certificates (20180409) unstable; urgency=medium
  
    [ Michael Shuler ]
    * mozilla/{certdata.txt,nssckbi.h}:
      Update Mozilla certificate authority bundle to version 2.22.
      The following certificate authorities were added (+):
      + "GDCA TrustAUTH R5 ROOT"
      + "SSL.com EV Root Certification Authority ECC"
      + "SSL.com EV Root Certification Authority RSA R2"
      + "SSL.com Root Certification Authority ECC"
      + "SSL.com Root Certification Authority RSA"
      + "TrustCor ECA-1"
      + "TrustCor RootCert CA-1"
      + "TrustCor RootCert CA-2"
      The following certificate authorities were removed (-):
      - "ACEDICOM Root"
      - "AddTrust Low-Value Services Root"
      - "AddTrust Public Services Root"
      - "AddTrust Qualified Certificates Root"
      - "CA Disig Root R1"
      - "CNNIC ROOT"
      - "Camerfirma Chambers of Commerce Root"
      - "Camerfirma Global Chambersign Root"
      - "Certinomis - Autorité Racine"
      - "Certum Root CA"
      - "China Internet Network Information Center EV Certificates Root"
      - "Comodo Secure Services root"
      - "Comodo Trusted Services root"
      - "DST ACES CA X6"
      - "GeoTrust Global CA 2"
      - "PSCProcert"
      - "Security Communication EV RootCA1"
      - "Swisscom Root CA 1"
      - "Swisscom Root CA 2"
      - "Swisscom Root EV CA 2"
      - "TURKTRUST Certificate Services Provider Root 2007"
      - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
      - "UTN USERFirst Hardware Root CA"
    * mozilla/blacklist.txt
      Update blacklist to remove certificates no longer in certdata.txt and
      explicitly ignore distrusted certificates.
    * debian/copyright:
      Fix lintian insecure-copyright-format-uri with https URL.
    * debian/changelog:
      Fix lintian file-contains-trailing-whitespace.
    * debian/{compat,control}:
      Set to debhelper compat 11.
    * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
      usage of `c_rehash` script. Closes: #895075
  
    [ Thijs Kinkhorst ]
    * Remove Christian Perrier from uploaders at his request (closes: #894070).
    * Checked for policy 4.1.4, no changes.
  
  ca-certificates (20170717) unstable; urgency=medium
  
    * Update to Standards-Version: 4.0.1
    * debian/ca-certificates.postinst:
      Prevent postinst failure on read-only /usr/local. Closes: #843722
    * mozilla/certdata2pem.py:
      Remove email-only roots from mozilla trust store. Closes: #721976
    * mozilla/{certdata.txt,nssckbi.h}:
      Update Mozilla certificate authority bundle to version 2.14.
      Closes: #858064
      The following certificate authorities were added (+):
      + "AC RAIZ FNMT-RCM"
      + "Amazon Root CA 1"
      + "Amazon Root CA 2"
      + "Amazon Root CA 3"
      + "Amazon Root CA 4"
      + "D-TRUST Root CA 3 2013"
      + "LuxTrust Global Root 2"
      + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
      The following certificate authorities were removed (-):
      - "AC Raiz Certicamara S.A."
      - "ApplicationCA - Japanese Government"
      - "Buypass Class 2 CA 1"
      - "ComSign CA"
      - "EBG Elektronik Sertifika Hizmet Saglayicisi"
      - "Equifax Secure CA"
      - "Equifax Secure eBusiness CA 1"
      - "Equifax Secure Global eBusiness CA"
      - "IGC/A"
      - "Juur-SK"
      - "Microsec e-Szigno Root CA"
      - "Root CA Generalitat Valenciana"
      - "RSA Security 2048 v3"
      - "S-TRUST Authentication and Encryption Root CA 2005 PN"
      - "S-TRUST Universal Root CA"
      - "SwissSign Platinum CA - G2"
      - "TC TrustCenter Class 3 CA II"
      - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
      - "UTN USERFirst Email Root CA"
      - "Verisign Class 1 Public Primary Certification Authority"
      - "Verisign Class 1 Public Primary Certification Authority - G3"
      - "Verisign Class 2 Public Primary Certification Authority - G2"
      - "Verisign Class 2 Public Primary Certification Authority - G3"
      - "Verisign Class 3 Public Primary Certification Authority"
      - "WellsSecure Public Root Certificate Authority"

-- Steve McIntyre <93sam@debian.org>  Tue, 09 Jun 2020 01:09:35 +0100

9.12.2-20200515

Updates in 1 source package(s), 8 binary package(s):

  Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64  
  apt (1.4.10) stretch-security; urgency=high
  
    * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
      - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
      - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
        member names in error path
      - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
        member names in error path
      - CVE-2020-3810
    * Fix-up size in 1.4.9 security fix test case
    * Add .gitlab-ci.yml for CI testing on Salsa

-- Steve McIntyre <93sam@debian.org>  Sun, 17 May 2020 17:31:14 +0100

9.12.1-20200328

Updates in 1 source package(s), 2 binary package(s):

  Source icu, binaries: libicu57:amd64 libicu57:arm64  
  icu (57.1-6+deb9u4) stretch-security; urgency=high
  
    * Backport upstream security fix for CVE-2020-10531: SEGV_MAPERR in
      UnicodeString::doAppend() (closes: #953747).

-- Steve McIntyre <93sam@debian.org>  Sun, 29 Mar 2020 15:38:53 +0100

9.12.0

  First build for 9.12.0 release

-- Steve McIntyre <93sam@debian.org>  Sun, 09 Feb 2020 14:59:24 +0000