gpsd (3.17-6) unstable; urgency=medium . * [0a8e4e18] Pull json fixes from upstream to fix a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs. CVE-2018-17937 / Closes: #925327 The update also fixes several other json parser bugs. - ECMA-404 says JSON \u must have 4 hex digits - Allow for \u escapes with fewer than 4 digits. - Fail on bad escape string. * [71020f4f] Update git-buildpackage config to build from the buster branch. kpmcore (3.3.0-5) unstable; urgency=medium . * Use luks1 format only lexicon (3.0.8-2) unstable; urgency=high . * Team upload. * Import dnsimple create fix from upstream (Closes: #926682) libcaca (0.99.beta19-2.1) unstable; urgency=medium . * Non-maintainer upload. * Cherry-Pick fixes from upstream git repository: - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and CVE-2018-20549 (Closes: #917807) python-fakeredis (1.0.3-1) unstable; urgency=medium . * New upstream release (Closes: #924851) * update d/CHANGELOG python-scales (1.0.9-2) unstable; urgency=medium . [ Ondřej Nový ] * d/control: Remove ancient X-Python-Version field * d/control: Remove ancient X-Python3-Version field * d/copyright: Use https protocol in Format field . [ Christian Ehrhardt ] * d/control: follow tox transition to fix FTBFS (Closes: #924798) sysstat (12.0.3-2) unstable; urgency=medium . * Upload to unstable. sysstat (12.0.3-1) experimental; urgency=medium . * New upstream stable version: + sadf: Fix out of bound reads security issues (CVE-2018-19416 and CVE-2018-19517, closes: #914384, #914553); + sadf: Fix possible infinite loop; + sar: Fortify remap_struct() function to prevent possible crashes on reading binary datafiles generated by older versions of sysstat. * systat.init.d: revert a change introduced in 11.5.5-1, as it caused the start script to fail to execute the command that adds "Linux Restart" marker into statistics file on systems on which systemd is not used. Thanks to Georgios Zarkadas for noticing this (closes: #924864). * debian/rules: replace deprecated dh_systemd_start by dh_installsystemd, as suggested by lintian; the former command wass ignored by debhelper v11, what in turn resulted in the `--no-start' option being ignored, and the restart markers were incorrectly added during package upgrades. tvtime (1.0.11-5) unstable; urgency=medium . * QA upload. * Create repository on salsa. * Refresh patches * Fix "insecure use of /tmp" by only using the fall back to $HOME. This is patch 0002-disable-insecure-temp-file.patch (Closes: #924076)