apt, branch 1.4_beta2

Release 1.4~beta2 security update

2016-12-08T14:21:23Z

releasing package apt version 1.4~beta2

2016-12-08T14:20:59Z

gpgv: Flush the files before checking for errors

2016-12-08T14:19:30Z

This is a follow up to the previous issue where we did not check if getline() returned -1 due to an end of file or due to an error like memory allocation, treating both as end of file. Here we ensure that we also handle buffered writes correctly by flushing the files before checking for any errors in our error stack. Buffered writes themselves were introduced in 1.1.9, but the function was never called with a buffered file from inside apt until commit 46c4043d741cb2c1d54e7f5bfaa234f1b7580f6c which was first released with apt 1.2.10. The function is public, though, so fixing this is a good idea anyway. Affected: >= 1.1.9

SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)

2016-12-08T14:19:21Z

This fixes a security issue where signatures of the InRelease files could be circumvented in a man-in-the-middle attack, giving attackers the ability to serve any packages they want to a system, in turn giving them root access. It turns out that getline() may not only return EINVAL as stated in the documentation - it might also return in case of an error when allocating memory. This fix not only adds a check that reading worked correctly, it also implicitly checks that all writes worked by reporting any other error that occurred inside the loop and was logged by apt. Affected: >= 0.9.8 Reported-By: Jann Horn Thanks: Jann Horn, Google Project Zero for reporting the issue LP: #1647467

bash-completion: Only complete understood file paths for install

2016-11-30T11:15:08Z

Previouosly apt's bash completion was such that, given $ mkdir xyzzz $ touch xyzzy.deb xyzzx.two.deb you'd get $ apt install xyzz xyzzx.two.deb xyzzz/ $ apt install /tmp/foo/xyzz xyzzx.two.deb xyzzz/ this is inconsistent (xyzzx.two.deb is listed but not xyzzy.deb), but worse than that it offered things that apt would not actually recognise as candidates for install: $ sudo apt install xyzzx.two.deb Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package xyzzx.two.deb E: Couldn't find any package by glob 'xyzzx.two.deb' E: Couldn't find any package by regex 'xyzzx.two.deb' With this small (trival, really) change, apt's bash completion will only offer things apt understands, and won't recquire an aditional period in the filename to offer it: $ apt install xyzz^C $ # (no completions!) $ apt install ./xyzz xyzzx.two.deb xyzzy.deb xyzzz/ $ apt install /tmp/foo/xyzz xyzzx.two.deb xyzzy.deb xyzzz/ fixes #28 LP: #1645815

Release 1.4~beta1

2016-11-25T22:50:48Z

Add apt-pkg/tagfile-keys.cc to the gitignore file

2016-11-25T22:49:26Z

This is output of triehash. Gbp-Dch: ignore

gpgv: Untrust SHA1, RIPE-MD/160, but allow downgrading to weak

2016-11-25T22:45:19Z

Change the trust level check to allow downgrading an Untrusted option to weak (APT::Hashes::SHA1::Weak "yes";), so it prints a warning instead of an error; and change the default values for SHA1 and RIPE-MD/160 from Weak to Untrusted.

show output as documented for APT::Periodic::Verbose 2

2016-11-25T12:05:44Z

The documentation of APT::Periodic::Verbose doesn't match the code, specifically level 2 should apply some things differently to level 1 but does not because it uses `-le 2` instead of `-lt 2` or `-le 1`. Closes: 845599

optional write aptwebserver log to client specific files

2016-11-24T23:15:13Z

The test test-handle-redirect-as-used-mirror-change serves multiple clients at the same time, so the order of the output is undefined and once in a while the two clients will intermix their lines causing the grep we perform on it later to fail making our tests fail. Solved by introducing client-specific logfiles which we all grep and sort the result to have the results more stable. Git-Dch: Ignore