You are running Debian stable, because you prefer the stable Debian tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. That is where backports come in.

Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever it is possible) on a stable Debian distribution. I recommend you to pick out single backports which fits your needs, and not to use all backports available here.

Mon, Sep 03 14:55:00 CEST 2007

Security Update for clamav

Sebastian Harl uploaded new packages for clamav which fixed the following security problems:

CVE-2007-4510

  It was discovered that the RTF and RFC2397 parsers can be tricked
  into dereferencing a NULL pointer, resulting in denial of service.

CVE-2007-4560

  It was discovered clamav-milter performs insufficicient input
  sanitising, resulting in the execution of arbitrary shell commands.

For the sarge-backports distribution the problems have been fixed in version 0.91.2-1~bpo31+1.

For the etch-backports distribution the problems have been fixed in version 0.91.2-1~bpo40+1.

Security update for egroupware

Jan Wagner uploaded new packages for egroupware which fixed the following security problem:

CVE-2007-4048

Cross-site scripting (XSS) vulnerability in index.php in phpSysInfo
2.5.4-dev and earlier allows remote attackers to inject arbitrary web
script or HTML via the PATH_INFO.

This issue has been fixed in the 1.2.107-2.dfsg-1.1~bpo40+1 package in etch-backports.

Thu Jul 26 10:26:11 CEST 2007

Security Update for clamav

Sebastian Harl uploaded new packages for clamav which fixed the following security problem:

CVE-2007-3725

A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives.

For the sarge-backports distribution the problem has been fixed in version 0.91.1-1~bpo.1.

For the etch-backports distribution the problem has been fixed in version 0.91.1-1~bpo.2.

Wed Jun 27 22:50:59 CEST 2007

Security Update for lighttpd

Dominic Hargreaves uploaded a security update for the lighttpd in sarge backports which fixes the following issues:

CVE-2007-1869

Remote attackers could cause denial of service by disconnecting
partway through making a request.

CVE-2007-1870

A NULL pointer dereference could cause a crash when serving files
with a mtime of 0.

These issues have been fixed in the 1.4.13-10~bpo.2 packages in sarge-backports.

Mon, 07 May 2007 19:22:12 CEST

Rene was so kind to upload OpenOffice.org 2.2.0-6 to Etch backports. Since a recent gcj is available in Etch it has been moved to main again.

Tue, 1 May 2007 12:28 GMT

Etch has been released and we have now etch-backports too. Look at instructions for more details.

Sun, 06 Aug 2006 10:55 GMT

I’m going to remove postgresql-8.0 from the backports.org archive. It’s was already removed from Debian, and the last version of the Debian package which was available is vulnerable to CVE-2006-2313 and CVE-2006-2314, hence the backport is also affected.

Please upgrade to the postgresql-8.1 backport.

Tue, 11 Jul 2006 17:56 GMT

Rene Engelhard uploaded openoffice.org 2.0.3 to backports.org last week. The update fixes some security issues, was moved to contrib, and includes the help files. For details see Renes mail to the backports-users mailinglist.

Fri, 05 May 2006 15:03 GMT

Usually I’ll wait for an updated package in testing/unstable to fix bugs which also affects packages on backports.org. Now the time has come, where this is no longer possible for a package: xorg-x11. Why? We have 6.9 in testing (and on backports.org), and 7.0 in unstable. We’ll see no more updates for the packages in testing, and backporting xorg-x11 7.0 to sarge is a pain in the ass. So we need to stick with 6.9 at least for a while, which primary means we can’t just take a newer package from testing/unstable to fix (security related) bugs.

Yesterday I uploaded xorg-x11 6.9.0.dfsg.1-5bpo2, which fixes CVE-2006-1526, a problem which led to a buffer overflow. A local attacker could exploit this to crash the X server or even execute arbitrary code with root privileges. The patch was taken from Ubuntu’s security update.

Thu, 04 May 2006 12:53 GMT

I just uploaded firefox 1.5.dfsg+1.5.0.3-0bpo1 to backports.org this morning, because it fixed an important security related bug (see #364810). And boom... a few hours later, bug #365960 was filed. Of course, the backport is affected too. So, think twice before upgrading the firefox backport, I’m sure Eric Dorland and/or Mike Hommey (who are doing a great job maintaining a monster like firefox) are going to fix this in unstable soon.

Update: 1.5.dfsg+1.5.0.3-2 was uploaded to unstable, and the backport is already updated.

Wed, 08 Mar 2006 13:39 GMT

A little bit later than promised, I just uploaded the slides of my talk from the Chemnitzer Linux-Tage about backporting and backports.org to my website. I hope I found and fixed all remaining typos.

Tue, 07 Mar 2006 18:36 GMT

Mickael Marchand noticed a problem with the mysql-dfsg backport on amd64. I don’t own such hardware, but fortunately Christian Hammers was able to reproduce that problem, which seems not to be Debian related, so he filed a bugreport to the MySQL bug tracking system.

Sun, 29 Jan 2006 10:55 GMT

We have a mailinglist, please use it when you have questions about some backports. I’m not responsible for all packages on backports.org, and can’t help with every single problem. Most people uploading packages are reading this list.

Sat, 28 Jan 2006 16:33 GMT

My talk at this years Chemnitzer Linux-Tage about backporting in general and backports.org in special was just accepted. See you there!