apt, branch 1.8.0_beta1 Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.8.0_beta1 2019-01-23T15:50:11Z Release 1.8.0~beta1 2019-01-23T15:50:11Z Julian Andres Klode julian.klode@canonical.com 2019-01-23T15:50:11Z urn:sha1:4200469bb5a14c4659285917ed30c46a0b15c286 Merge tag '1.8.0_alpha3.1' 2019-01-22T18:54:55Z Julian Andres Klode julian.klode@canonical.com 2019-01-22T18:54:55Z urn:sha1:d39b6b646cc912314e1e3560ad407980131df92b apt Debian release 1.8.0~alpha3.1 Release 1.8.0~alpha3.1 2019-01-22T18:52:42Z Julian Andres Klode julian.klode@canonical.com 2019-01-22T18:51:09Z urn:sha1:f397feb72d964924daa85c8cfad18db3a0570ab7 SECURITY UPDATE: content injection in http method (CVE-2019-3462) 2019-01-22T18:50:36Z Julian Andres Klode julian.klode@canonical.com 2019-01-18T08:13:52Z urn:sha1:c31d65e76810f72c356e381818174bf100605de7 This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 (cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b) Merge branch 'pu/release-preparations' 2019-01-22T17:39:56Z Julian Andres Klode julian.klode@canonical.com 2019-01-22T17:39:56Z urn:sha1:cf6c1eb20951bcf6be32cab495da03bc4f68bf8a debian/control: Drop libcurl4-gnutls-dev build dependency 2019-01-22T17:37:49Z Julian Andres Klode julian.klode@canonical.com 2019-01-22T17:37:00Z urn:sha1:95612ea3b7a54b810b8a2f5ee2e3a29660b3c78b Not needed since quite some time. Merge branch 'pu/gpgvsignedby' into 'master' 2019-01-22T15:02:36Z Julian Andres Klode jak@debian.org 2019-01-22T15:02:36Z urn:sha1:690bc2923814b3620ace1ffcb710603f81fa217f Report keys used to sign file from gpgv method to acquire system See merge request apt-team/apt!44 SECURITY UPDATE: content injection in http method (CVE-2019-3462) 2019-01-22T11:50:59Z Julian Andres Klode julian.klode@canonical.com 2019-01-18T08:13:52Z urn:sha1:5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 doc/apt-verbatim.ent: Debian buster is stable 2019-01-22T11:43:15Z Julian Andres Klode julian.klode@canonical.com 2019-01-22T11:36:37Z urn:sha1:2fea01a9f0db4107bfcca79fabe8e11403050d9e Move everything up one "old", and change testing to be bullseye. CI: Use debian:buster as test base image 2019-01-22T11:43:15Z Julian Andres Klode julian.klode@canonical.com 2019-01-22T11:33:51Z urn:sha1:3cc995a1318b971aed9f8d9f968d4a0a16ece53b This prepares us for the upcoming buster release, as buster is the main release series for this series (the other being Ubuntu disco).