Fix an endless loop DoS vulnerability in parse_packet().

[pkg-collectd.git] / debian / changelog

diff --git a/debian/changelog b/debian/changelog
index 3ca252c6614584cd5c8098b60002773f06b7782f..792b53ff82961d4afaffc8c5ad238a1ca5f18990 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,18 +1,235 @@
+collectd (5.1.0-3+deb7u3) wheezy-security; urgency=high
+
+  * CVE-2017-7401: Fix an endless loop DoS vulnerability in parse_packet().
+    When a correct "Signature part" is received by a Collectd instance
+    configured without the AuthFile option, an endless loop occurs due to a
+    missing pointer increment to the next unprocessed part. (Closes: #859494)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 04 Apr 2017 16:45:15 +0200
+
+collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high
+
+  * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of
+    libgcrypt: Initialize the library before using any other functions to
+    ensure that thread-safety is set up appropriately. This fixes potential
+    crashes of the network plugin and a regression introduced in
+    5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine
+    Sirinelli for reporting this. (Closes: #833013)
+
+ -- Sebastian Harl <tokkee@debian.org>  Wed, 03 Aug 2016 22:59:23 +0200
+
+collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
+
+  * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
+    plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
+    the function used by the network plugin to parse incoming network packets.
+    Thanks to Florian Forster for reporting the bug in Debian.
+    (Closes: #832507, CVE-2016-6254)
+  * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
+    gcry_control. A team of security researchers at Columbia University and
+    the University of Virginia discovered that GCrypt's gcry_control is
+    sometimes called without checking its return value for an error. This may
+    cause the program to be initialized without the desired, secure settings.
+    (Closes: #832577)
+
+ -- Sebastian Harl <tokkee@debian.org>  Thu, 28 Jul 2016 20:52:12 +0200
+
+collectd (5.1.0-3) unstable; urgency=low
+
+  * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst:
+    - Added patch to fix the migration of 'df' values in migrate-4-5.px;
+      thanks to 'markuskaindl' for reporting this on IRC.
+    - Pass --rrdfilter and --rrdtool parameters to migrate-4-5.px in order to
+      let the script find those binaries/scripts.
+    (Closes: #681363)
+  * debian/collectd-core.collectd.init.d:
+    - Catch disabled state in start and restart and don't exit with an error
+      status. Amongst others, this fixes an upgrade of collectd when the
+      daemon is disabled. Thanks to Florian Ernst for reporting this and
+      Evgeni Golov for providing (an early) patch (Closes: #681216).
+    - Don't use 'set -e' and 'exit 0' (at the end) in order to let return
+      statuses propagate correctly. (cf. #681216)
+
+ -- Sebastian Harl <tokkee@debian.org>  Sun, 15 Jul 2012 11:17:10 +0200
+
+collectd (5.1.0-2) unstable; urgency=low
+
+  * debian/collectd-core.postinst:
+    - Don't create unused temp. directory.
+  * debian/control, debian/rules:
+    - Build depend on libmodbus-dev and enabled modbus plugin. 5.1 now
+      supports libmodbus 3; thanks to Ivo De Decker for reporting this
+      (Closes: #639796).
+  * debian/po:
+    - Updated Swedish debconf translation; thanks to Martin Bagge
+      (Closes: #677842).
+    - Added Slovak debconf translation; thanks to 'helix84'
+      (Closes: #677902).
+    - Updated Danish debconf translation; thanks to Joe Dalton
+      (Closes: #677908).
+    - Updated Czech debconf translation; thanks to Martin Šín
+      (Closes: #677949).
+    - Updated Russian debconf translation; thanks to Yuri Kozlov
+      (Closes: #678016).
+    - Updated Portuguese debconf translation; thanks to Américo Monteiro
+      (Closes: #678048).
+    - Updated Polish debconf translation; thanks to Michał Kułach
+      (Closes: #678157).
+    - Updated Galician debconf translation; thanks to Jorge Barreiro
+      (Closes: #678467).
+    - Updated French debconf translation; thanks to Steve Petruzzello
+      (Closes: #678614).
+    - Updated Spanish debconf translation; thanks to Omar Campagne
+      (Closes: #679281).
+  * debian/collectd-core.collectd.init.d:
+    - Source /lib/lsb/init-functions in order to make systemd work in
+      compatibility mode; thanks to Michael Stapelberg for reporting this
+      (Closes: #679544).
+    - Use log_* and status_of_proc functions from LSB's init functions to
+      make collectd's output look like all the other output; thanks to
+      Matthias Urlichs for pointing this out (Closes: #679355).
+
+ -- Sebastian Harl <tokkee@debian.org>  Sat, 30 Jun 2012 13:27:41 +0200
+
+collectd (5.1.0-1) unstable; urgency=low
+
+  * New upstream release (Closes: #630968):
+    - syslog plugin now supports logging notifications; thanks to Trent W.
+      Buck for suggesting this (Closes: #632940).
+    New plugins:
+    - AMQP output plugin: amqp
+    - AIX logical partitions statistics: lpar (disabled in Debian; AIX only)
+    - Network interface card statistics: ethstat (disabled on kfreebsd; Linux
+      only)
+    - Linux software-RAID device information: md (disabled on kfreebsd; Linux
+      only)
+    - Information about Non-Uniform Memory Access: numa (disabled on kfreebsd;
+      Linux only)
+    - Redis key-value database server statistics: redis (disabled in Debian;
+      libcredis is not available)
+    - Check thresholds and for missing values: threshold
+    - Varnish HTTP accelerator daemon statistics: varnish
+    - Sends data to Carbon, the storage layer of Graphite: write_graphite
+    - Write values to a MongoDB NoSQL database server: write_mongodb (disabled
+      in Debian; libmongoc is not available)
+    - Write values to a Redis key-value database server: write_redis (disabled
+      in Debian; libcredis is not available)
+    New targets:
+    - Upgrade data-sets from v4 clients to v5: v5upgrade
+  * debian/rules:
+    - Disabled lpar plugin -- this requires AIX (perfstat).
+    - Disabled redis and write_redis plugins -- they require libcredis.
+    - Disabled write_mongodb plugin -- this requires libmongoc.
+    - Disabled ethstat, md, and numa plugins on kfreebsd -- these plugins are
+      Linux specific.
+    - Install contrib/exec-ksm.sh as example.
+  * debian/control:
+    - Added build-dep on librabbitmq-dev, required by the AMQP plugin.
+    - Added build-dep on libvarnish-dev, required by the varnish plugin.
+  * debian/collectd-utils.install:
+    - Install collectdctl and collectdctl.1 to collectd-utils.
+  * debian/libcollectdclient0.symbols:
+    - Added lcc_sort_identifiers introduced in 5.1.0.
+  * debian/NEWS.Debian:
+    - Documented the upgrade from version 4 to 5.
+  * debian/collectd-core.install:
+    - Install migrate-4-5.px.
+  * debian/collectd-core.{config,postinst,templates}:
+    - Added debconf queries and code to automatically migrate from v4.
+  * debian/source/format:
+    - Set to "1.0" for now.
+  * debian/po/:
+    - Updated German debconf template translation.
+  * debian/collectd-core.override:
+    - Limit netlink override to appropriate architectures.
+
+ -- Sebastian Harl <tokkee@debian.org>  Wed, 13 Jun 2012 08:05:01 +0200
+
+collectd (4.10.7-2) unstable; urgency=low
+
+  * debian/po:
+    - Updated Czech debconf translation; thanks to Martin Šín
+      (Closes: #673693).
+    - Updated Polish debconf translation; thanks to Michał Kułach
+      (Closes: #673697).
+    - Updated Dutch debconf translation; thanks to Jeroen Schot
+      (Closes: #673769).
+    - Updated Swedish debconf translation; thanks to Martin Bagge
+      (Closes: #673888).
+    - Updated Russian debconf translation; thanks to Vladimir Zhbanov
+      (Closes: #673890).
+    - Added Italian debconf translation; thanks to Beatrice Torracca
+      (Closes: #674044).
+    - Updated Portuguese debconf translation; thanks to Américo Monteiro
+      (Closes: #674065).
+    - Updated Danish debconf translation; thanks to Joe Dalton
+      (Closes: #674459).
+    - Updated Brazilian Portuguese debconf translation; thanks to Adriano
+      Rafael Gomes (Closes: #674589).
+    - Updated French debconf translation; thanks to Steve Petruzzello and
+      Christian PERRIER (Closes: #674629).
+    - Updated Spanish debconf translation; thanks to Omar Campagne
+      (Closes: #676383).
+    - Updated German debconf translation based on Holger Wansing's feedback on
+      debian-l10n-german.
+
+ -- Sebastian Harl <tokkee@debian.org>  Sun, 10 Jun 2012 13:49:32 +0200
+
 collectd (4.10.7-1) unstable; urgency=low
 
   * New upstream release.
     - Fixed an endless loop in case the datadir is a symlink pointing to a
       non-existent target; thanks to Michael Prokop for reporting this and
       Jonathan Nieder for providing the patch (Closes: #619123).
+    - Use bsd/nlist.h rather than the deprecated nlist.h on FreeBSD fixing a
+      FTBFS on kfreebsd; thanks to Tobias Frost for reporting this
+      (Closes: #664429).
   * debian/patches/:
     - Removed ipvs_h_include.dpatch -- applied upstream.
+    - Added rtnl_dump_filter.dpatch, updating the rtnl_dump_filter() signature
+      to recent versions of iproute2.
   * debian/rules:
     - Use dpkg-buildflags to determine compiler/linker flags; this also
       enables hardening build flags; thanks to Moritz Muehlenhoff for
       providing the patch (Closes: #656271).
+    - Don't force building of the ipvs plugin. The ip_vs.h check has been
+      fixed in configure.
+    - Use /usr/share/javahelper/java-arch.sh to determine the Java
+      architecture directory, thus, making sure armhf and armel are supported
+      as well; thanks to peter green for reporting this and providing the
+      pointer (Closes: #656274).
+    - Work around #673431 (kvm.h requires sys/types.h) by forcing the processes
+      plugin on kfreebsd and manually defining HAVE_STRUCT_KINFO_PROC_FREEBSD.
   * debian/README.Debian:
     - Added section 'Cleanup of old data' explaining how to get rid of
       out-dated data files (e.g. RRD files).
+  * debian/control:
+    - Updated to standards-version 3.9.3 -- no changes.
+    - Build depend on javahelper providing java-arch.sh.
+    - Use linux-any, kfreebsd-any, etc. rather than hardcoded list of
+      non-Linux architectures to make life of porters easier; thanks to Robert
+      Millan for reporting this and providing a pointer to the fix
+      (Closes: #634690).
+    - Explicitly build-depend on libkvm-dev on kfreebsd; this is required by
+      the processes, swap and tcpconns plugins.
+  * debian/collectd-core.postrm, debian/collectd-core.templates:
+    - Prompt the user (debconf priority high) when purging the collected data
+      providing an option to opt out. The question defaults to remove the
+      data; thanks to Trent W. Buck for reporting and discussing this
+      (Closes: #631167).
+  * debian/collectd-core.collectd.init.d:
+    - Added cpufrequtils to should-start, else collectd does not reliably
+      detect all CPUs; thanks to Mathias Bauer for reporting and debugging
+      this (Closes: #662040).
+    - Use the exit codes specified by LSB in 'status' command; thanks to
+      Michael Prokop for reporting this (Closes: #615840).
+  * debian/po/:
+    - Added Danish debconf template translation; thanks to Joe Dalton
+      (Closes: #660918).
+    - Added Brazilian Portuguese debconf template translation; thanks to
+      Adriano Rafael Gomes (Closes: #662174).
+    - Added Polish debconf template translation; thanks to Michał Kułach
+      (Closes: #672739).
 
  -- Sebastian Harl <tokkee@debian.org>  Thu, 17 May 2012 15:55:39 +0200