irssi (1.0.5-1~16.04.york0) xenial; urgency=medium
* No-change backport to xenial
irssi (1.0.5-1) unstable; urgency=high
* New upstream bugfix release (closes: #879521):
- Fix missing -sasl_method '' in /NETWORK.
- Fix incorrect restoration of term state when hitting SUSP
inside screen.
- Fix out of bounds read when compressing colour
sequences. Found by Hanno Böck. [CVE-2017-15228]
- Fix use after free condition during a race condition when
waiting on channel sync during a rejoin [CVE-2017-15227]
- Fix null pointer dereference when parsing certain malformed
CTCP DCC messages. [CVE-2017-15721]
- Fix crash due to null pointer dereference when failing to
split messages due to overlong nick or target. [CVE-2017-15723]
- Fix out of bounds read when trying to skip a safe channel ID
without verifying that the ID is long enough. [CVE-2017-15722]
- Fix return of random memory when inet_ntop failed.
- Minor statusbar help update.
* Remove deprecated --with autotools_dev call to dh.
* Bump Standards-Version to 4.1.1.
* Change priority of irssi-dev from deprecated extra to optional.
* Use pkg-info.mk in debian/rules instead of calling dpkg-parsechangelog
directly.
irssi (1.0.4-1) unstable; urgency=high
* New upstream bugfix release (closes: #867598):
- Fix null pointer dereference when parsing invalid timestamp.
Reported by Brian 'geeknik' Carpenter. [CVE-2017-10965]
- Fix use-after-free condition when removing nicks from the internal
nicklist. Reported by Brian 'geeknik' Carpenter. [CVE-2017-10966]
- Fix incorrect string comparison in DCC file names.
- Fix regression in Irssi 1.0.3 where it would claim "Invalid time '-1'".
- Fix a bug when using \n to separate lines with expand_escapes.
- Retain screen output on improper exit, to better see any error
messages.
- Minor help update.
irssi (1.0.3-1) unstable; urgency=high
* New upstream pure bugfix release.
irssi (1.0.2-1) unstable; urgency=high
* New upstream pure bugfix release:
- Prevent some null-pointer crashes.
- Fix compilation with OpenSSL 1.1.0.
- Correct dereferencing of already freed server objects during
output of netjoins. Found by APic. (closes: #857502)
- Fix in command arg parser to detect missing arguments in tail place.
- Fix regression that broke incoming DCC file transfers.
- Fix issue with escaping \ in evaluated strings.
irssi (1.0.1-1) unstable; urgency=high
* New upstream pure bugfix release:
- Fix Perl compilation in object dir.
- Disable EC cryptography on Solaris to fix build.
- Fix incorrect HELP SERVER example.
- Correct memory leak in /OP and /VOICE.
- Fix regression that broke second level completion.
- Correct missing NULL termination in perl_parse.
- Sync broken mail.pl script.
irssi (1.0.0-1) unstable; urgency=medium
* New upstream release.
* Add patch 25tls-ssl-compat-defines provided by upstream's dx for backward
compatibility to not require modules using these functions to change code.
* Update patch 22fix-perl-hardening.
irssi (0.8.21-1) unstable; urgency=medium
* New upstream security release (Closes: #850403):
- CVE-2017-5193: NULL pointer dereference in the nickcmp function
- CVE-2017-5194: Use-after-freee when receiving invalid nick message
- CVE-2017-5195: Out-of-bounds read in certain incomplete control codes
- CVE-2017-5196: Out-of-bounds read in certain incomplete character
sequences
* Remove patch 23fix-buf.pl which is included in upstream release.
* Set PACKAGE_VERSION for configure as suggested by upstream.
irssi (0.8.20-2) unstable; urgency=high
* New patch 23fix-buf.pl to fix an information exposure issue involved with
using buf.pl and /upgrade.
irssi (0.8.20-1) unstable; urgency=critical
* New upstream security release.
* Fix heap corruption and missing bounds checks (CVE-2016-7044
CVE-2016-7045)
irssi (0.8.19-2) unstable; urgency=low
* Bump Standards-Version to 3.9.8.
* Drop DANE support, libval changed and doesn't offer that interface
anymore.
* Drop -dbg package in favor of the automatically created dbgsym one.
-- Jonathon Fernyhough <email address hidden> Mon, 20 Nov 2017 15:39:44 +0000