mono (2.10.8.1-8+deb7u1) wheezy-security; urgency=high * [c2afe08] Mono's implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. ("SKIP-TLS" attack). (Closes: #780751, CVE-2015-2318) * [997bd08] Remove the client-side SSLv2 fallback. There's almost no SSLv3 web site left so a v2 fallback is only extra code we do not need to carry forward. (Closes: #780751, CVE-2015-2320) * [b570325] Remove the EXPORT ciphers and related code path. That was still useful in 2003/2004 but the technical and legal landscape changed a lot since then. Removing the old, limited key size, cipher suites also allow removed additional parts of the code that deals with them. ("FREAK" attack) (Closes: #780751, CVE-2015-2319) -- Jo Shields Thu, 19 Mar 2015 11:32:12 +0000 mono (2.10.8.1-8) unstable; urgency=high * [b9108c7] Dirty patch to introduce a new System.Windows.Forms.WebBrowser back-end, which does absolutely nothing. This is to allow applications which create a WebBrowser object to continue to run without crashing, in the absence of a working browser back-end (which we lack right now). This patch is sufficient for http://www.java2s.com/Tutorial/CSharp/0460__GUI-Windows-Forms/AsimpleBrowser.htm to run without crashing. (Closes: #683289, #694948) -- Jo Shields Sun, 03 Mar 2013 17:36:38 +0000 mono (2.10.8.1-7) unstable; urgency=high [ Jo Shields ] * [4a46aae] Remove armhf from mono-archs.make - It should have been removed in 2.10.8.1-6 but was overlooked (Closes: #695743) [ Marek Habersack ] * [226b326] Fix for Novell bug #739119 (Closes: #686562, CVE-2012-3543) * [6983b45] Update to fix for Novell bug #739119 -- Jo Shields Mon, 28 Jan 2013 10:27:00 +0000 mono (2.10.8.1-6) unstable; urgency=low * [da2fc97] Remove armhf from list of supported architectures. It ain't supported by the runtime in Mono 2.10.x, and trying to shoehorn it in was more difficult than we had hoped. It will return in the future, for Mono 2.12. (Closes: #682284) -- Jo Shields Mon, 27 Aug 2012 17:15:03 +0100 mono (2.10.8.1-5) unstable; urgency=high [ Jo Shields ] * [c05ec16] Add symbols file for ppc64 (Closes: #651664) [ Mirco Bauer ] * [4e87058] Fixed version of ppc64 specific symbol mono_exc_esp_offset was introduced in 2.10.1 which is also backport-friendly [ Gonzalo Paniagua Javier ] * [1930eb3] HtmlEncode the path. Fixes Novell bug #769799. (Closes: #681095, CVE-2012-3382) -- Jo Shields Wed, 11 Jul 2012 19:13:12 +0100 mono (2.10.8.1-4) unstable; urgency=low [ Iain Lane ] * [10b15d4] Pass LDFLAGS to binfmt-detector-cli too (Closes: #657518) [ Jo Shields ] * [f77ef2f] Tweak build system to check multiarch library folder for libX11.so. -- Jo Shields Sun, 27 May 2012 15:28:00 +0100 mono (2.10.8.1-3) unstable; urgency=low * [c934e01] Remove unused File::Basename import from runtime script. Having this present causes failures on release upgrades where perl-base and perl-modules are not in a consistent state (e.g. this can happen when upgrading across major Perl versions). (Closes: #665335) (LP: #948848) * [9e3cc40] Remove monodoc-base trigger. This trigger updated the monodoc search index. It ended up calling /usr/bin/monodoc, which is shipped in the monodoc-browser package (source package mono-tools). The script attempted to check that monodoc-browser was configured, but didn't get this right. This led to numerous upgrade failures when Depends of monodoc-browser were not satisfied when the trigger was invoked and calling monodoc to update the search index bombed out due to this. It's more correct to just have monodoc-browser ship this trigger itself. (LP: #972751) * [dd2925c] Standards-Version bump to 3.9.3, no changes required * [8299ee0] Remove duplicate Depends in mono-complete * [508c4f5] Revert "Merge branch 'master-patches/fix_crash_in_fixup_cattrs'" This reverts commit 86127dcf508213eac5b50a65c989cf5971b57378, reversing changes made to 55a1a20a4d858346ed8a8d840abc3f9230ea816e. This branch introduced regressions which caused both nant and mono-upnp (at least) to FTBFS. (Closes: #666623) * [61fbbe4] Fix ARM printf format problems. When building with -Werror=format-security on ARM, mono fails to build due to incorrect format strings in arm-dis.c (cherry picked from commit 32c1b70ad164640ff0a2739e66884d0279cfe7c7) Signed-off-by: Iain Lane * [9883116] Pass CFLAGS and CPPFLAGS when building binfmt-detector. Ensures hardening support is enabled for this binary. Thanks to Simon Ruderich (Closes: #657518) * [4bb0138] Ensure compiler flags are passed into build system. This issue was discovered when it was noted that Debian's hardening buildflags weren't being propogated to all binaries. The patch is from Simon Ruderich (cherry picked from commit d6dcfb27fc6252352f6ad6f8bd9ef5cff206fd46) Also Closes: #657518 -- Iain Lane Wed, 04 Apr 2012 21:15:59 +0100 mono (2.10.8.1-2) unstable; urgency=low [ Zoltan Varga ] * [52cf3ab] Modify fixup_cattrs () to handle a corner case where a cattr is created using a MonoCMethod instead of a ConstructorBuilder. [ Moritz Muehlenhoff ] * [96d7d4a] Use dpkg-buildflags for enabling hardened build flags (closes: #657518) [ Mirco Bauer ] * [de40c42] Bumped dpkg-dev build-dep to >= 1.16.1~ as we include buildflags.mk of it -- Mirco Bauer Thu, 22 Mar 2012 22:00:34 +0100 mono (2.10.8.1-1) unstable; urgency=low [ Jb Evain ] * [b31e994] [mono-api-info] try to read local files before using the resolver [ Mirco Bauer ] * [e6134cc] Imported Upstream version 2.10.8.1 * [e8b34c9] Added s390x specific symbols to libmono-2.0-1.symbols.s390x * [ad7a051] Copied armel specific symbols to libmono-2.0-1.symbols.armhf * [1001d95] Added new symbol to libmono-2.0-1.symbols * [c17bea6] Build mono-api-diff and MonoGetAssemblyName with dmcs instead of gmcs * [1388ad0] Bumped clilibs of libmono-system4.0-cil, libmono-sqlite{2,4}.0-cil and libmono-microsoft-build-framework4.0-cil to >= 2.10.7 * [7bb7153] Added -a switch (ABI) to mono-api-check * [b35dd98] Imported Upstream version 2.10.8.1 * [a251cb0] Fixed typo in package short description of libmono-webmatrix-data4.0-cil (closes: #656671) * [b35dd98] Imported Upstream version 2.10.8.1 * [03f5030] Updated RUN_MONO variable for a 4.0 runtime -- Mirco Bauer Sun, 05 Feb 2012 19:21:10 +0100 mono (2.10.5-2) unstable; urgency=low [ Mirco Bauer ] * Upload to unstable [ Sebastien Pouliot ] * [80b0a2d] Add support for validating RSA-based X.509 certifcates using SHA256 * [977f0e0] Avoid ANE when a key algorithm parameters is really null (not just ASN.1 null) * [83468f9] Avoid throwing when verifying an RSA certificate with dsaSHA1 * [2050ee0] Add MD4, SHA384 and SHA512 signature verification to X.509 certificates * [ab80293] Fix X.500 DN comparison * [d864bce] Avoid throwing an ANE on an invalid X.509 extension * [ab2997c] Add entries for MD4 in machine.config -- Mirco Bauer Mon, 16 Jan 2012 04:50:58 +0100 mono (2.10.5-1) experimental; urgency=low * [854fa78] Imported Upstream version 2.10.5 -- Mirco Bauer Thu, 25 Aug 2011 22:26:08 +0200 mono (2.10.4-3) experimental; urgency=low [ Jo Shields ] * [985d2ae] Revert "[xbuild] Make Engine.DefaultToolsVersion 2.0 ." This reverts commit 4010c69c7d61223c73f111be2d79c4a440b70b45. -- Mirco Bauer Mon, 22 Aug 2011 22:44:41 +0200 mono (2.10.4-2) experimental; urgency=low * [77d26a4] Fixed failing upgrade of libmono-webbrowser0.5-cil to libmono-webbrowser2.0-cil with conflicts/replaces -- Mirco Bauer Fri, 12 Aug 2011 21:19:36 +0200 mono (2.10.4-1) experimental; urgency=low [ Mirco Bauer ] * New upstream (bugfix) release * [6a8fc99] Install mono-api-diff.exe in mono/4.0 * [85bc08e] Imported Upstream version 2.10.4 * [113d0f0] Wrapped too long debian/changelog lines [ Miguel de Icaza ] * [03ceab5] Do not throw if we get a RunAndCollect -- Mirco Bauer Thu, 11 Aug 2011 21:32:53 +0200 mono (2.10.3-1) experimental; urgency=low * The "from Xamarin with love" release [ Mirco Bauer ] * [5f13e09] Updated download URL in debian/watch * [4abf062] Added desktop file for mono with and without a terminal window * [f165789] Imported Upstream version 2.10.3 * [b51b15c] Dropped unused libglib2.0-dev from build-deps which was replaced by Mono's own eglib * [00a5c48] Fixed manpage reference for cli-csc alternative * [b6fb713] New patch structure * [6cb63b3] Use debian-branch instead of current branch * [3956527] Added I18N west package as dependency to WinForms as the RichTextBox class requires CP1252 (closes: #629151) * [997bec0] Mono.WebBrowser library is now shipped in both 2.0 and 4.0 runtime flavors * [dfd65af] Added /usr/lib/mono/xbuild-frameworks to mono-xbuild package * [12478bf] Removed useless dh_makeclilibs call for not existing libmono-winforms4.0-cil * [3d2d42c] Allow the inclusion of the binary file debian/mono-runtime.png * [2a814af] Fixed missing separator in Depends field of libmono-microsoft-visualc10.0-cil and libmono-microsoft-web-infrastructure1.0-cil * [491534a] Fixed non-binNMUable error for mono-devel * [eb78f74] Fixed spelling mistake according to lintian: s/allows to/allows one to/ * [5fae96e] Fixed too long extended description line for mono-runtime-sgen * [5dbb6e1] Set single-debian-patch in debian/source/options * [98bf4a8] Added CLI 4.0 support to mono-api-check * [5965895] Bumped clilibs to 2.10.3 where appropriate * [e706e60] New lame API check tool: mono-api-source-check (only use at your own risk!) [ Zoltan Varga ] * [300bb53] Apply a workaround for a gcc 4.6 problem on arm. -- Mirco Bauer Wed, 10 Aug 2011 23:52:12 +0200 mono (2.10.1-4) experimental; urgency=low [ Zoltan Varga ] * [db3ee8c] Only use memory barriers on arm when running on armv6 or later. * [cf1d8e8] Add a membar to libgc's UNLOCK () on arm. Fixes Mono#683409. [ Jo Shields ] * [0e3d427] Ensure SIGXFSZ is used instead of SIGPWR on kFreeBSD. (Closes: #621907) * [8cd4f00] Define CPU registers on kFreeBSD/AMD64, to prevent build failures. [ Mirco Bauer ] * [9546eb7] Added armel specific symbols to libmono-2.0-1.symbols.armel -- Mirco Bauer Sun, 10 Apr 2011 17:16:47 +0200 mono (2.10.1-3) experimental; urgency=low [ Jo Shields ] * [0fd2fc1] Tweak architecture checks in configure.in so kfreebsd-gnu is considered an SGen-capable architecture. (closes: #621448) [ Mirco Bauer ] * [26a6ee8] Moved architecture dependent symbols into libmono-2.0-1.symbols.$arch -- Mirco Bauer Sat, 09 Apr 2011 15:15:04 +0200 mono (2.10.1-2) experimental; urgency=low * [aba0fce] Dropped obsolete archs: arm, armeb and lpia; no longer supported arch: s390; added potential new archs: armhf, ppc64 and s390x; only build and install sgen on supported archs * [66a0541] kfreebsd support for Mono 2.10.1 - mainly backport of gc 6.8 (closes: #621031) -- Mirco Bauer Thu, 07 Apr 2011 01:33:02 +0200 mono (2.10.1-1) experimental; urgency=low * The "size does matter" release [ Mirco Bauer ] * New upstream release + For release highlights see the NEWS.Debian file of the mono-runtime package [ Jo Shields ] * [5c6aba5] Imported Upstream version 2.8 * [f85b0b1] Imported Upstream version 2.8.1 [ Mirco Bauer ] * [01df276] Pass parallel variable in DEB_BUILD_OPTIONS to mono/Makefile * [e3871f8] Build libgc before mono [ Jo Shields ] * [98cb87c] Imported Upstream version 2.10~rc1 * [b401a2a] Add test which is missing from 2.10~rc1 tarballs, causing test suite to fail to build [ Mirco Bauer ] * [79f2862] Build eglib before libgc and made them parallel buildable * [58bf7d7] Renamed libmono0 package to libmono-2.0-1 following the new soname * [f1e4e50] Provide deb-symbols for libmono-2.0-1 * [7be8ed1] Renamed libmono-dev package to libmono-2.0-dev and dropped libglib2.0-dev dependency as Mono no longer makes use of the glib * [d97f372] Moved mono.pc to libmono-cil-dev * [3cd11ad] New mono-runtime-sgen package which contains the Mono VM with a new garbage collector * [7f3919a] Dropped libmono-firebirdsql1.7-cil package * [c31f6e2] Stick to upstream's configure defaults except for ikvm and quiet builds * [de8c9aa] Removed obsolete cleanups * [97c07fa] Removed obsolete doc dir symlinking removal code for Ubuntu * [e6e31ff] Cleaned up Uploaders * [3c24df0] Disable automatic AOT on "make install" as this needs to be done on package install time * [1ced0ac] Merged the install-arch and install-indep target into a single install target * [3a2409b] Disable libgc's parallel mark on powerpc as it FTBFS * [97c6760] Added a 2nd test-suite pass with sgen * [af7129a] Disable sgen on powerpc for now as it needs further porting * [3f99e0e] Don't run the test-suite with sgen on powerpc [ Jo Shields ] * [9a320e5] Imported Upstream version 2.10.1 [ Mirco Bauer ] * [e618805] Don't delete ltmain.sh in clean target as autoreconf is not recreating it * [38ccb49] Updated libmono-2.0-1.symbols for 2.10.1 * [0472e8b] Dropped license and copyright information of no longer distributed FirebirdSql.Data.Firebird and Microsoft.JScript assemblies * [cb9cfec] Moved license and copyright information of RabbitMQ.Client to distinct copyright files * [d191bb3] Moved changelog entries older than 2.6.7-1 to changelog.1 * [4b69b38] Dropped mono-1.0-devel and merged mono-2.0-devel into mono-devel * [f8e8352] Re-synced debhelper tools from cli-common 0.8~git.ca22e7 with .NET 4.0 support * [dac60fb] Ignore temporarily package build directories * [78db0f9] Replaced depcrecated dh_clean -k call with dh_prep * [4cd31f2] Forcely install jay * [3e69ed3] Drop unwanted/incorrectly shipped files from upstream * [a27bef2] Dropped obsolete and added missing manpages * [b407a26] Make use of dh_install's --list-missing feature * [37638d7] Dropped obsolete and added missing dllmaps * [1597015] Bumped clilibs to >= 2.10.1 where needed * [953569a] Dropped obsolete replaces << 1.2.4-1 lines from mono-dbg * [ee0cbf6] Dropped prj2make-sharp package * [61a9ed1] Updated debian/shlibs.local for Mono 2.10.1 * [0fa85d7] Updated mono-runtime.NEWS for Mono 2.10, 2.8 and 2.6 * [15fe448] Dropped all CLI 1.0 library and C# 1.0 compiler packages as Mono 2.10 no longer supports the 1.0 runtime, added new packages for all CLI 4.0 libraries and the C# 4.0 compiler and made C# 4.0 the new default C# compiler. All CLI 2.0 library packages are left for ABI and backwards compatibility. * [59b28b7] Sorted dependencies of libmono-cil-dev for easier tracking * [9288af2] Added missing libmono-microsoft-csharp4.0-cil to libmono-cil-dev dependencies * [30cd43e] Added libmono-microsoft-csharp4.0-cil as manual dependency to mono-dmcs as needed for dynamic types * [f262b9f] Added debian/find-icalls.sh helper script which finds internal calls from the source tree * [ce1e2f5] Force the debian version. $(top_srcdir)/.git is no longer a good indicator if this is an upstream git clone or a debian git clone * [ebf531b] Switch to dpkg-source 3.0 (quilt) format * [9b7ed73] Added missing Mono.WebBrowser.dll.config -- Mirco Bauer Tue, 05 Apr 2011 00:28:57 +0200 mono (2.6.7-5) unstable; urgency=low [ Zoltan Varga ] * [7453b31] Fix a merge problem which broke tailcalls and F# support. (closes: #607465) [ Rodrigo Kumpera ] * [e32c3aa] Check generic instantions for constraint violations. (CVE-2010-4254, closes: #608288) * [7905343] Fix corlib testsuite crash. * [6eb9cab] Handle invalid instantiation of generic methods. * [fbba0ca] Disable generic instance verification is security is off. [ Mirco Bauer ] * [ec09641] Disable the use of shared memory to make Mono reliable even when /dev/shm gets exhausted. (closes: #587948) -- Mirco Bauer Sun, 09 Jan 2011 19:38:15 +0100 mono (2.6.7-4) unstable; urgency=high [ Mirco Bauer ] * [63821a1] Added libmono-nunit2.2-cil to conflicts and replaces of libmono-cil-dev for smooth upgrade from lenny (closes: #602024) * [0089f11] Moved the System.Data.Linq library into libmono-system- data-linq2.0-cil to avoid an unneeded dependency chain for most applications. * [393dc41] Demote libmono-firebirdsql1.7-cil and mono-debugger from recommends to suggests if built on Ubuntu. [ Paolo Molaro ] * [52727f0] Search for dllimported shared libs in the base directory, not cwd. * loader.c: we don't search the current directory anymore for shared libraries referenced in DllImport attributes, as it has a slight security risk. We search in the same directory where the referencing image was loaded from, instead. (CVE-2010-4159, closes: #605097) [ Zoltan Varga ] * [f17ab04] Fix stack alignment when resuming from a signal handler in the soft debugger. -- Mirco Bauer Mon, 06 Dec 2010 23:34:16 +0100 mono (2.6.7-3) unstable; urgency=low * The "welcome to new java refugees" release [ Iain Lane ] * [a2781e1] Add an environment variable to control X509 validation mode, and set default to no check * [a16f93a] Add --no-ext-diff to git diff call of git-test-debian- patches [ Mirco Bauer ] * [cb9c6c2] Fixed manpage name sections. (closes: #595149) -- Mirco Bauer Thu, 09 Sep 2010 01:09:45 +0200 mono (2.6.7-2) experimental; urgency=low [ Mirco Bauer ] * [d1bf954] Added missing tasks and targets files for xbuild 3.5 * [814bfd7] Bumped clilibs of libmono-data-tds{1,2}.0-cil, libmono- security2.0-cil, libmono-microsoft-build2.0-cil and libmono- debugger-soft0.0-cil * [3c1d0ef] Added development symlink for System.Web.Mvc to libmono- system-web-mvc1.0-cil [ Iain Lane ] * [754b410] Revert upstream commit 59db1f55409d80fc93ed, which commented out the Requires line in mono.pc.in. [ Jo Shields ] * [ea1f755] Add full definitions for all AMD64 registers on kFreeBSD. This fixes a FTBFS on kFreeBSD-AMD64. -- Mirco Bauer Tue, 24 Aug 2010 02:26:43 +0200 mono (2.6.7-1) experimental; urgency=low [ Mirco Bauer ] * The "squeeze-ing the best out of Mono" release * [c91fe56] Added git-dch settings * [665316e] Imported Upstream version 2.6.7 + Includes ASP.NET MVC 2.0 * [1823ffa] Don't let git-import-orig do merges * [9b50f29] Implemented tool to test merge all debian patch branches against the upstream branch. * [d06b9ad] Only merge branches that really begin with debian/patches/* * [822f606] Added System.Web.Mvc2 to debian/copyright * [45d4f69] Added libmono-system-web-mvc2.0-cil package * [b9b720e] Fix mono/test test suite compilation. [ Andy Stührk ] * [f6745b9] XplatUIX11.WorkingArea can segfault if the WM does not support _NET_WORKAREA (Closes: #557229) (thanks to Brian Pellin and Andy Stührk for the investigation and patch) -- Mirco Bauer Sat, 07 Aug 2010 00:35:39 +0200