chromium (138.0.7204.92-1) unstable; urgency=high . * New upstream security release. - CVE-2025-6554: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group. * Add lintian override for embedded libjsoncpp in libtest_trace_processor.so. * Drop the text about extensions from d/presubj, and instead ask bug reporters to include output from chrome://gpu which is super useful. chromium (138.0.7204.49-1) unstable; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2025-6555: Use after free in Animation. Reported by Lyra Rebane (rebane2001). - CVE-2025-6556: Insufficient policy enforcement in Loader. Reported by Shaheen Fazim. - CVE-2025-6557: Insufficient data validation in DevTools. Reported by Ameen Basha M K. * d/rules: drop enable_reading_list=false, as Reading List is now supported for all architectures. * d/patches: - upstream/arm32-crel.patch: drop, merged upstream. - upstream/cross-build-target.patch: drop, merged upstream. - upstream/span-fwd.patch: drop, merged upstream. - upstream/mojo-optional.patch: drop, merged upstream. - upstream/opener-heur.patch: drop, merged upstream. - upstream/allowed-state.patch: drop, merged upstream. - upstream/pdfium-libpng.patch: drop, merged upstream. - upstream/safety-hub-set.patch: drop, merged upstream. - fixes/media-cstdint.patch: drop, merged upstream. - debianization/clang-version.patch: refresh. - fixes/bindgen.patch: refresh. - fixes/armhf-icf.patch: refresh. - disable/catapult.patch: refresh. - disable/google-api-warning.patch: refresh. - disable/buildtools-libc.patch: refresh. - bookworm/clang19.patch: drop part of patch. - fixes/memory-allocator-dcheck-assert-fix.patch: update for renamed config variable kMaxBucketed. - disable/node-version-ck.patch: disable nodejs version check in protobuf. . [ Daniel Richard G. ] * d/rules: Rearrange DEB_BUILD_MAINT_OPTIONS assignments to avoid "argument unused" warnings on armhf due to -fstack-clash-protection. * d/control, d/rules: Apply cross-build feedback from Helmut Grohne. * d/control: Add myself to Uploaders:, with Andres's blessing of course :) . [ Timothy Pearson ] * d/patches/ppc64le: - third_party/0001-Add-PPC64-support-for-boringssl.patch: Refresh for upstream changes - third_party/0002-regenerate-xnn-buildgn.patch: Refresh for upstream changes corosync (3.1.9-2) unstable; urgency=medium . * [d29071e] New patch: totemsrp: Check size of orf_token msg. Cherry-picked security fix for CVE-2025-30472, upstream commit 7839990f9cdf34e55435ed90109e82709032466a. Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. Thanks to Jan Friesse (Closes: #1102006) mariadb (1:11.8.2-1) unstable; urgency=medium . * New upstream version 11.8.2, which also announces the 11.8 series now ready for general availability (GA) with security releases for 5 years. This release includes fixes for several defects as noted at https://mariadb.com/kb/en/mariadb-11-8-2-release-notes/ as well the following security issues (Closes: #1100437, #1105976): - CVE-2023-52969 - CVE-2023-52970 - CVE-2023-52971 - CVE-2025-30693 - CVE-2025-30722 * Drop all RocksDB patches now upstream due to update to version 6.29fb * Drop PCRE2 10.45 compatibility patch obsoleted by upstream test change * Update configuration traces to include new upstream system variables: - innodb-buffer-pool-size-auto-min (default: 0) - innodb-buffer-pool-size-max (default: 0) - innodb-log-checkpoint-now (default: FALSE) * Also update configuration traces to match that in 11.8.2 the variables innodb-buffer-pool-chunk-size and innodb-log-spin-wait-delay are advertised as deprecated. * Disable new unreliable test main.mysql-interactive * Add Breaks/Replaces for files moved around in src:mysql-8.4 (LP: #2110378) * Update mariadb-server.NEWS with information about MariaDB 11.8 and * best practices for creating app user and allowing remote connections * Add patch to improve output from mariadb-secure-installation mariadb (1:11.8.1-5) unstable; urgency=medium . [ Otto Kekäläinen ] * Disable additional tests that failed on sparc64 (MDEV-36670) * Have all server plugins depend on mariadb-server-core (Closes: #1039702) * Make plugin dependencies on mariadbd on strictly versioned (Closes: #1057708) * Remove redundant BSD license comment in debian/copyright * Remove unnecessary arch from dh_installinit rule * Make COMPILATION_COMMENT and MYSQL_SERVER_SUFFIX more useful * Several improvements to Salsa CI, Lintian overrides and other quality assurance for Debian 13 "Trixie" . [ Jing Luo ] * d/upstream/metadata: change github url protocol from git to https * d/copyright: remove old FSF address * d/copyright: move "On Debian systems..." to comment stanza * d/copyright: misc fixes, remove the full text of BSD-3 and Artistic protection-domain-mapper (1.0-7) unstable; urgency=medium . * d/control: only build for ARMv7+ This package is specifically aimed at supporting hardware features of modern Qualcomm SoC's, which are all ARM-based (mostly `arm64`, but that includes `armhf` parts such as e.g. MSM8916). There's no point shipping this package on other architectures, so limit the list to `armhf` and `arm64`, while keeping `amd64` as it greatly simplifies running CI and debugging builds. * d/patches: backport upstream service fix. The QRTR nameserver has been built into the kernel for years now, so the service no longer needs to depend on `qrtr-ns.service`. rmtfs (1.1-3) unstable; urgency=medium . * d/control: only build for ARMv7+ This package is specifically aimed at supporting hardware features of modern Qualcomm SoC's, which are all ARM-based (mostly `arm64`, but that includes `armhf` parts such as e.g. MSM8916). There's no point shipping this package on other architectures, so limit the list to `armhf` and `arm64`, while keeping `amd64` as it greatly simplifies running CI and debugging builds. * d/patches: backport upstream service fix. The QRTR nameserver has been built into the kernel for years now, so the service no longer needs to depend on `qrtr-ns.service`. (Closes: #1104083) spamassassin (4.0.1-5) unstable; urgency=medium . * User a dpkg trigger to restart spamd after sa-compile upgrades (Closes: #1108166) spamassassin (4.0.1-4) unstable; urgency=medium . * backport patch for upstream bug #8237 * Add libnet-libidn2-perl to build-deps for tests * import upstream logging fix when --virtual-config-dir is used (Closes: #1100826) * Ensure stdout from spamassassin-maint is discarded where intended (Closes: #634172) * Fix typo in Mail::SpamAssassin::Conf (Closes: #1072220) * Document the spamc default max message size (Closes: #951545) * Update bundled rules to upstream svn revision 1926576 (Closes: #1106669) * Update spamassassin README for systemd timer usage (Closes: #1108016) * skip spamd client tests during build (Closes: #1093943) tqftpserv (1.1-4) unstable; urgency=medium . * d/control: only build for ARMv7+ This package is specifically aimed at supporting hardware features of modern Qualcomm SoC's, which are all ARM-based (mostly `arm64`, but that includes `armhf` parts such as e.g. MSM8916). There's no point shipping this package on other architectures, so limit the list to `armhf` and `arm64`, while keeping `amd64` as it greatly simplifies running CI and debugging builds. * d/patches: backport upstream service fix. The QRTR nameserver has been built into the kernel for years now, so the service no longer needs to depend on `qrtr-ns.service`. (Closes: #1104039)