apt (2.7.3) unstable; urgency=medium . [ Tianon Gravi ] * Add "apt-patterns" reference to "apt list" description in apt(8) . [ Frans Spiesschaert ] * Dutch manpages translation update (Closes: #1033904) * Dutch program translation update (Closes: #1033909) . [ Mert Dirik ] * Turkish program translation update . [ Remus-Gabriel Chelu ] * Romanian program translation update (Closes: #1040644) . [ David Kalnischkies ] * Add apt-patterns(7) to apt{,-cache,-get} SEE ALSO sections . [ Julian Andres Klode ] * Compare SHA256 to check if versions are really the same (Closes: #931175) (LP: #2029268) apt (2.7.2) unstable; urgency=medium . [ A. Maitland Bottoms ] * Do not fail on systems running in FIPSmode. . [ Julian Andres Klode ] * Upload to unstable * update: Add notice about missing Signed-By in deb822 sources * doc: Bump distro versions for apt-key removal * dist-upgrade: Revert phased updates using keeps only (LP: #2025462) * Do not mark updates for install that are still phasing * Fix snapshot crashes with multiple components inside Ubuntu docker image apt (2.7.1) experimental; urgency=medium . * Seed snapshot servers for well-known hosts, including PPAs. Note that it is preferable for repositories to declare their snapshot server in the Snapshots Release file field than to rely on this feature. apt (2.7.0) experimental; urgency=medium . [ Jacob Kauffmann ] * Keep "or group" when installing package to satisfy it . [ Julian Andres Klode ] * Add apt install,upgrade,... -U,--update options. Please note that this still releases locks in between and is subject to races. * Initial support for snapshot servers, apt --snapshot option. Some implementation details may change down the road to 2.8 linux (6.4.4-3) unstable; urgency=high . * io_uring: gate iowait schedule on having pending requests (Closes: #1041855) * [x86] Add mitigations for Gather Data Sampling (GDS) (CVE-2022-40982) - init: Provide arch_cpu_finalize_init() - x86/cpu: Switch to arch_cpu_finalize_init() - ARM: cpu: Switch to arch_cpu_finalize_init() - ia64/cpu: Switch to arch_cpu_finalize_init() - loongarch/cpu: Switch to arch_cpu_finalize_init() - m68k/cpu: Switch to arch_cpu_finalize_init() - mips/cpu: Switch to arch_cpu_finalize_init() - sh/cpu: Switch to arch_cpu_finalize_init() - sparc/cpu: Switch to arch_cpu_finalize_init() - um/cpu: Switch to arch_cpu_finalize_init() - init: Remove check_bugs() leftovers - init: Invoke arch_cpu_finalize_init() earlier - init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() - x86/init: Initialize signal frame size late - x86/fpu: Remove cpuinfo argument from init functions - x86/fpu: Mark init functions __init - x86/fpu: Move FPU initialization into arch_cpu_finalize_init() - x86/speculation: Add Gather Data Sampling mitigation - x86/speculation: Add force option to GDS mitigation - x86/speculation: Add Kconfig option for GDS - KVM: Add GDS_NO support to KVM - x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build - x86/xen: Fix secondary processors' FPU initialization - Documentation/x86: Fix backwards on/off logic about YMM support * [x86] Add a Speculative RAS Overflow (SRSO) mitigation (CVE-2023-20569) - x86/bugs: Increase the x86 bugs vector size to two u32s - x86/srso: Add a Speculative RAS Overflow mitigation - x86/srso: Add IBPB_BRTYPE support - x86/srso: Add SRSO_NO support - x86/srso: Add IBPB - x86/srso: Add IBPB on VMEXIT - x86/srso: Fix return thunks in generated code - x86/srso: Add a forgotten NOENDBR annotation - x86/srso: Tie SBPB bit setting to microcode patch detection * Bump ABI to 2 postgresql-15 (15.4-1) unstable; urgency=medium . * New upstream version. . + Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch) . This restriction guards against SQL-injection hazards for trusted extensions. . The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417) . + Fix MERGE to enforce row security policies properly (Dean Rasheed) . When MERGE performs an UPDATE action, it should enforce any UPDATE or SELECT RLS policies defined on the target table, to be consistent with the way that a plain UPDATE with a WHERE clause works. Instead it was enforcing INSERT RLS policies for both INSERT and UPDATE actions. . In addition, when MERGE performs a DO NOTHING action, it applied the target table's DELETE RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors. . The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2023-39418) . * Test-Depend on tzdata-legacy | tzdata (<< 2023c-8). postgresql-15 (15.3-1) experimental; urgency=medium . * New upstream version. . + Prevent CREATE SCHEMA from defeating changes in search_path (Report and fix by Alexander Lakhin, CVE-2023-2454) . Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script. . + Enforce row-level security policies correctly after inlining a set-returning function (Report by Wolfgang Walther, CVE-2023-2455) . If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible. . * Reenable JIT on s390x using workaround patch from SUSE.