Release 1.6.41.6.4

author: Julian Andres Klode <julian.klode@canonical.com> 2018-08-20 17:39:08 +0200
committer: Julian Andres Klode <julian.klode@canonical.com> 2018-08-20 18:07:45 +0200
commit: b438f971a9fe2b06bd15cb56451b155853c0100c (patch)
tree: 63fcce89b735cfa1822e911fd5e55226f0a91dd7 /debian
parent: a9ecbb403e7da51aef6814c1b5a19bc18bdb3622 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 8dd68cdaa..264e61735 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+apt (1.6.4) unstable; urgency=critical
+
+  [ David Kalnischkies ]
+  * SECURITY UPDATE: Fallback in the mirror method allowed a later server to
+    supply any InRelease file without it having to be verified. (LP: #1787752)
+    - apt-pkg/acquire-item.cc:: clear alternative URIs for mirror:// between steps
+    - CVE-2018-0501
+    - https://mirror.fail/
+
+ -- Julian Andres Klode <jak@debian.org>  Mon, 20 Aug 2018 17:38:50 +0200
+
 apt (1.6.3) unstable; urgency=medium
 
   * Handle JSON hooks that just close the file/exit and fix some other errors
author	Julian Andres Klode <julian.klode@canonical.com>	2018-08-20 17:39:08 +0200
committer	Julian Andres Klode <julian.klode@canonical.com>	2018-08-20 18:07:45 +0200
commit	b438f971a9fe2b06bd15cb56451b155853c0100c (patch)
tree	63fcce89b735cfa1822e911fd5e55226f0a91dd7 /debian
parent	a9ecbb403e7da51aef6814c1b5a19bc18bdb3622 (diff)