lp://staging/ubuntu/oneiric-security/apt
- Get this branch:
- bzr branch lp://staging/ubuntu/oneiric-security/apt
Branch merges
Branch information
Recent revisions
- 174. By Marc Deslauriers
-
* SECURITY UPDATE: InRelease verification bypass
- CVE-2013-1051[ David Kalnischk ]
[ Michael Vogt ]
* apt-pkg/deb/debmetainde x.cc,
test/integration/ test-bug-595691-empty- and-broken- archive- files,
test/integration/ test-releasefil e-verification:
- disable InRelease downloading until the verification issue is
fixed, thanks to Ansgar Burchardt for finding the flaw - 173. By Michael Vogt
-
* SECURITY UPDATE: change permissions of
/var/log/apt/ term.log to 0640 (LP: #975199)
- CVE-2012-0961 - 172. By Jamie Strandboge
-
* SECURITY UPDATE: Disable apt-key net-update for now, as validation
code is still insecure
- cmdline/apt-key: exit 1 immediately in net_update()
- CVE-2012-0954
- LP: #1013639 - 171. By Jamie Strandboge
-
adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
Marc Deslauriers. (LP: #1013128) - 170. By Marc Deslauriers
-
* SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
- CVE-2012-0214
* This packages does _not_ contain the changes from 0.8.16~exp5ubuntu13. 1
in oneiric-proposed.[ David Kalnischkies ]
* apt-pkg/acquire- item.cc:
- remove 'old' InRelease file if we can't get a new one before
proceeding with Release.gpg to avoid the false impression of a still
trusted repository by a (still present) old InRelease file.
Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214) - 169. By Michael Vogt
-
[ Adam Conrad ]
* On armel, call update-apt-xapian- index with '-u' to keep the CPU
and I/O usage low. We would do this on all arches, but there's a
regression risk here, but that's better than killing slow systems.[ Michael Vogt ]
* cmdline/apt-key:
- fix apt-key net-update, thanks to Marc Deslauriers and
Adam Conrad for the code review (LP: #857472) - 168. By Michael Vogt
-
[ David Kalnischkies ]
* apt-pkg/deb/deblistpars er.cc:
- fix crash when the dynamic mmap needs to be remapped during
LoadReleaseInfo (LP: #854090) - 167. By Michael Vogt
-
[ Colin Watson ]
* ftparchive/cachedb. cc:
- fix buffersize in bytes2hex[ Marc Deslauriers ]
* SECURITY UPDATE: Disable apt-key net-update for now, as validation
code is insecure.
- cmdline/apt-key: exit immediately out of net_update().
- CVE number pending - 165. By Michael Vogt
-
[ Michael Vogt ]
* apt-pkg/acquire- item.h, apt-pkg/ deb/debmetainde x.cc:
- fix fetching translated package descriptions (including the newly
stripped out english ones) by adding OptionalSubIndexTarget [ David Kalnischkies ]
* apt-pkg/acquire- item.cc:
- if no Release.gpg file is found try to verify with hashes,
but do not fail if a hash can't be found
* apt-pkg/indexrecords. cc:
- fix Acquire::Max-ValidTime option by interpreting it really
as seconds as specified in the manpage and not as days
- add an Acquire::Min-ValidTime option (Closes: #640122)
* doc/apt.conf.5.xml:
- reword Acquire::Max-ValidTime documentation to make clear
that it doesn't provide the new Min-ValidTime functionality
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/precise/apt