apt (0.9.7.9+deb7u3) wheezy-security; urgency=high * SECURITY UPDATE: - incorrect invalidating of unauthenticated data (CVE-2014-0488) - incorect verification of 304 reply (CVE-2014-0487) - incorrect verification of Acquire::Gzip indexes (CVE-2014-0489) - incorrect apt-get download validation (CVE-2014-0490) -- Michael Vogt Mon, 15 Sep 2014 09:24:15 +0200 apt (0.9.7.9+deb7u2) wheezy-security; urgency=high * SECURITY UPDATE: apt-get source validation (closes: #749795) - CVE-2014-0478 -- Michael Vogt Thu, 12 Jun 2014 12:47:25 +0200 apt (0.9.7.9+deb7u1) wheezy; urgency=low * Non-maintainer upload. * Apply patch for large .debs (Closes: #725483) Thanks Mark Hymers for the patch, Vincent Sanders for the review * Apply patch for strict multi-arch checking in single-architecture environments (Closes: #723586) -- Jonathan Wiltshire Sat, 16 Nov 2013 11:14:39 +0000 apt (0.9.7.9) stable; urgency=low [ Ludovico Cavedon ] * properly handle if-modfied-since with libcurl/https (closes: #705648) [ Andreas Beckman ] * apt-pkg/algorithms.cc: - Do not propagate negative scores from rdepends. Propagating the absolute value of a negative score may boost obsolete packages and keep them installed instead of installing their successors. (Closes: #699759) -- Michael Vogt Tue, 04 Jun 2013 08:05:47 +0200 apt (0.9.7.8) unstable; urgency=criticial * SECURITY UPDATE: InRelease verification bypass - CVE-2013-1051 [ David Kalnischk ] * apt-pkg/deb/debmetaindex.cc, test/integration/test-bug-595691-empty-and-broken-archive-files, test/integration/test-releasefile-verification: - disable InRelease downloading until the verification issue is fixed, thanks to Ansgar Burchardt for finding the flaw -- Michael Vogt Thu, 14 Mar 2013 07:47:36 +0100 apt (0.9.7.7) unstable; urgency=low [ Program translation updates ] * Catalan (Jordi Mallach) * Drop a confusing non-breaking space. Closes: #691024 * Thai (Theppitak Karoonboonyanan). Closes: #691613 * Vietnamese (Trần Ngọc Quân). Closes: #693773 * Fix Plural forms in German, French, Japanese and Portuguese translations. Thanks to Jakub Wilk for reporting these errors. [ David Kalnischkies ] * apt-pkg/packagemanager.cc: - do not do lock-step configuration for a M-A:same package if it isn't unpacked yet in SmartConfigure and do not unpack a M-A:same package again in SmartUnPack if we have already configured it (LP: #1062503) * apt-pkg/depcache.cc: - don't call MarkInstall with the FromUser flag set for packages which are dependencies of APT::Never-MarkAuto-Sections matchers - no mode changes should obviously be ok for pkgDepCache::IsModeChangeOk * cmdline/apt-get.cc: - do not call Mark{Install,Delete} from the autoremove code with the FromUser bit set to avoid modifying the auto-installed bit * apt-pkg/algorithms.cc: - ensure pkgProblemResolver calls MarkDelete without FromUser set so that it can't overrule holds and the protection flag [ Michael Vogt ] * change permissions of /var/log/apt/term.log to 0640 (LP: #975199) [ Jonathan Thomas ] * apt-pkg/algorithms.cc: - fix package-pointer array memory leak in ResolveByKeepInternal() -- Michael Vogt Thu, 13 Dec 2012 09:52:19 +0100 apt (0.9.7.6) unstable; urgency=low [ Program translation updates ] * Ukrainian (A. Bondarenko) [ David Kalnischkies ] * apt-pkg/pkgcachegen.cc: - ensure that dependencies for packages:none are always generated - add 2 missing remap registrations causing a segfault in case we use the not remapped iterators after a move of the mmap again - write the native architecture as unique string into the cache header as it is used for arch:all packages as a map to arch:native. Otherwise arch comparisons later will see differences (Closes: #689323) * apt-pkg/pkgcache.cc: - ignore negative dependencies applying in the same group for M-A:same packages on the real package name as self-conflicts (Closes: #688863) * cmdline/apt-cache.cc: - print versioned dependency relations in (r)depends if the option APT::Cache::ShowVersion is true (default: false) as discussed in #218995 to help debian-cd fixing #687949. Thanks to Sam Lidder for initial patch and Steve McIntyre for nagging and testing! * apt-pkg/edsp.cc: - include reinstall requests and already installed (= protected) packages in the install-request for external resolvers (Closes: #689331) * apt-pkg/policy.cc: - match pins with(out) an architecture as we do on the commandline (partly fixing #687255, b= support has to wait for jessie) * apt-pkg/contrib/netrc.cc: - remove the 64 char limit for login/password in internal usage - remove 256 char line limit by using getline() (POSIX.1-2008) [ Colin Watson ] * apt-pkg/pkgcachegen.cc: - Fix crash if the cache is remapped while writing a Provides version (LP: #1066445). -- Michael Vogt Tue, 16 Oct 2012 18:08:53 +0200 apt (0.9.7.5) unstable; urgency=low [ Manpages translation updates ] * Japanese (KURASAWA Nozomu) (Closes: #684435) * Portuguese (Américo Monteiro) (Closes: #686975) [ David Kalnischkies ] * handle packages without a mandatory architecture (debian-policy §5.3) by introducing a pseudo-architecture 'none' so that the small group of users with these packages can get right of them without introducing too much hassle for other users (Closes: #686346) * apt-pkg/cdrom.cc: - copy only configured translation files from a CD-ROM and not all available translation files preventing new installs with d-i from being initialized with all translations (Closes: #678227) - handle Components in the reduction for the source.list as multi-arch CDs otherwise create duplicated source entries (e.g. "wheezy main main") * apt-pkg/packagemanager.cc: - unpack versions only in case a different version from the package is currently in unpack state to recover from broken system states (like different file in M-A:same package and other dpkg errors) and avoid re-unpack otherwise (Closes: #670900) * debian/control: - let libapt-pkg break apt < 0.9.4 to ensure that the installed http- method supports the new redirection-style, thanks to Raphael Geissert for reporting & testing (Closes: #685192) * doc/apt_preferences.5.xml: - use the correct interval (x <= P < y) for pin value documentation as these are the intervals used by the code (Closes: #685989) * apt-pkg/indexcopy.cc: - do not create duplicated flat-archive CD-ROM sources for foreign architectures on multi-arch CD-ROMs - do not warn about files which have a record in the Release file, but are not present on the CD to mirror the behavior of the other methods and to allow uncompressed indexes to be dropped without scaring users * apt-pkg/pkgcachegen.cc: - do not create 'native' (or now 'none') package structures as a side effect of description translation parsing as it pollutes the cache -- Michael Vogt Tue, 11 Sep 2012 15:56:44 +0200 apt (0.9.7.4) unstable; urgency=low [ Manpages translation updates ] * Polish (Robert Luberda) (Closes: #683109) [ Program translation updates ] * Polish (Michał Kułach) [ Pino Toscano ] * apt-pkg/contrib/mmap.cc: - guard only the msync call with _POSIX_SYNCHRONIZED_IO rather than also the fallback code as it breaks APT on hurd since 0.9.7.3 as the fallback is now always used on non-linux (Closes: #683354) [ David Kalnischkies ] * apt-pkg/contrib/fileutl.cc: - remove _POSIX_SYNCHRONIZED_IO guard in FileFd::Sync() around fsync as this guard is only needed for fdatasync and not defined on hurd * cmdline/apt-get.cc: - error out on (unsatisfiable) build-deps on purly virtual packages instead of ignoring these dependencies; thanks to Johannes Schauer for the detailed report! (Closes: #683786) - ensure that the right architecture is used for cross-dependencies in cases we have to choose a provider by defaulting on host-arch instead of build-arch * doc/apt-verbatim.ent: - denote 'wheezy' as stable codename and 'jessie' as testing codename in the documentation in preparation for release * apt-pkg/indexcopy.cc: - do not use atomic writing if the target is /dev/null as we don't want to replace it, not even automically. (Closes: #683410) * apt-pkg/cdrom.cc: - do not link() but rename() the cdroms.list to cdroms.list~ as a backup to ensure that apt-cdrom can be run multiple times (Closes: #676302) -- Michael Vogt Mon, 06 Aug 2012 15:55:04 +0200 apt (0.9.7.3) unstable; urgency=low [ Manpages translation updates ] * Spanish; (Omar Campagne). Closes: #681566 [ Program translation updates ] * Czech (Miroslav Kure). Closes: #680758 [ David Kalnischkies ] * apt-pkg/cacheset.cc: - handle :all and :native correctly as architectures again in the commandline parsing (regression in 0.9.7) * apt-pkg/packagemanager.cc: - do not segfault if nothing can be configured to statisfy a pre-depends (e.g. in a pre-depends loop) (Closes: #681958) * apt-pkg/contrib/mmap.cc: - trigger the usage of the fallback code for kfreebsd also in the second (filebased) constructor of DynamicMMap (Closes: #677704) - refer to APT::Cache-Start in case the growing failed as if -Limit is really the offender it will be noted in a previous error message. - for filesystems not supporting mmap'ing a file we need to use a SyncToFd dummy just as we did for compressed files in 0.9.5 -- Michael Vogt Fri, 27 Jul 2012 17:53:41 +0200 apt (0.9.7.2) unstable; urgency=low [ Manpages translation updates ] * French (Christian Perrier) * German (Chris Leick) [ Program translation updates ] * Greek (Θανάσης Νάτσης) * Japanese (Kenshi Muto) (Closes: #679662) * Russian (Yuri Kozlov) (Closes: #679599) * Danish (Joe Dalton) (Closes: #680119) * Portuguese (Miguel Figueiredo) (Closes: #680616) [ David Kalnischkies ] * debian/apt.cron.daily: - do not try to backup extended_states file if it doesn't exist (Closes: #680287) * ftparchive/writer.cc: - handle the APT::FTPArchive::Packages::SHA512 option correctly instead of overriding SHA256, thanks Christian Marillat! (Closes: #680252) * cmdline/apt-mark.cc: - arch:all packages are treated as arch:native packages, but dpkg expects pkg:all for selections, so use the arch of the installed version instead of the package structure if possible. Thanks to Stepan Golosunov for the report! (Closes: #680041) * apt-pkg/clean.cc: - run autoclean against pkg:arch and not always against pkg:native as this removes valid cache entries (Closes: #679371) * apt-pkg/deb/deblistparser.cc: - negative dependencies need to apply to all architectures, but those with a specific architecture only apply to this one * apt-pkg/cachefilter.cc: - remove architecture-specific arch to tuple expansion-rules as they lead to the same tuples for different architectures (e.g. linux-arm for arm, armel and armhf) while the dpkg-architecture code uses triples which are different (in the first part, which we omit in our tuples), so e.g. build-dep restrictions for armel ended up effecting armhf as well -- Michael Vogt Fri, 13 Jul 2012 21:33:56 +0200 apt (0.9.7.1) unstable; urgency=low [ Program translation updates ] * Bulgarian (Damyan Ivanov) (Closes: #678983) * Hungarian (Gabor Kelemen) * Italian (Milo Casagrande) * Slovenian (Andrej Znidarsic) * German (Holger Wansing) (Closes: #679314) * Slovak (Ivan Masár) (Closes: #679448) [ David Kalnischkies ] * cmdline/apt-internal-solver.cc, cmdline/apt-mark.cc: - typo fixes and unfuzzy translations * debian/control: - libapt-{pkg,inst} packages should be in section 'libs' instead of 'admin' as by ftp-master override request in #677596 - demote debiandoc-sgml to Build-Depends-Indep * doc/makefile: - separate translation building of debiandoc from manpages so that we don't need to build debiandoc for binary packages -- Michael Vogt Fri, 29 Jun 2012 14:26:32 +0200 apt (0.9.7) unstable; urgency=low [ Julian Andres Klode ] * apt-pkg/contrib/mmap.cc: - Fix the Fallback option to work correctly, by not calling realloc() on a map mapped by mmap(), and by using malloc and friends instead of new[]. - Zero out the new memory allocated with realloc(). [ Daniel Hartwig ] * apt-pkg/pkgcachegen.cc: - always reset _error->StackCount in MakeStatusCache (Closes: #677175) [ David Kalnischkies ] * apt-pkg/deb/deblistparser.cc: - ensure that mixed positive/negative architecture wildcards are handled in the same way as dpkg handles them - use PackageArchitectureMatchesSpecification filter * apt-pkg/cachefilter.cc: - add PackageArchitectureMatchesSpecification (Closes: #672603) * apt-pkg/cacheset.cc: - add PackageContainerInterface::FromGroup to support architecture specifications with wildcards on the commandline * apt-pkg/pkgcache.cc: - do a string comparision for architecture checking in IsMultiArchImplicit as 'unique' strings in the pkgcache aren't unique (Closes: #677454) * buildlib/configure.mak: - print a message detailing how to get config.guess and config.sub in case they are not in /usr/share/misc (Closes: #677312) * cmdline/apt-get.cc: - print a friendly message in 'download' if a package can't be downloaded (Closes: #677887) -- Michael Vogt Tue, 19 Jun 2012 16:42:43 +0200 apt (0.9.6) unstable; urgency=low [ David Kalnischkies ] * apt-pkg/cdrom.cc: - fix regression from 0.9.3 which dumped the main configuration _config instead of the cdrom settings (Cnf) as identified and tested by Milan Kupcevic, thanks! (Closes: #674100) * cmdline/apt-get.cc: - do not show 'list of broken packages' header if no package is broken as it happens e.g. for external resolver errors - print URIs for all changelogs in case of --print-uris, thanks to Daniel Hartwig for the patch! (Closes: #674897) - show 'bzr branch' as 'bzr get' is deprecated (LP: #1011032) - check build-dep candidate if install is forbidden * debian/apt-utils.links: - the internal resolver 'apt' is now directly installed in /usr/lib/apt/solvers, so don't instruct dh to create a broken link * doc/apt-verbatim.ent: - APT doesn't belong to the product 'Linux', so use 'APT' instead as after all APT is a big suite of applications * doc/examples/sources.list: - use the codename instead of 'stable' in the examples sources.list as we do in the manpage and as the debian-installer does * doc/apt-get.8.xml: - use apt-utils as package example instead of libc6 * apt-pkg/contrib/cmdline.cc: - apply patch from Daniel Hartwig to fix a segfault in case the LongOpt is empty (Closes: #676331) - fix segfault with empty LongOpt in --no-* branch * ftparchive/apt-ftparchive.cc: - default to putting the Contents-* files below $(SECTION) as apt-file expects them there - thanks Martin-Éric Racine! (Closes: #675827) * apt-pkg/deb/deblistparser.cc: - set pkgCacheGen::Essential to "all" again (Closes: #675449) * apt-pkg/algorithms.cc: - force install only for one essential package out of a group * apt-pkg/aptconfiguration.cc: - if APT::Languages=none save "none" in allCodes so that the detected configuration is cached as intended (Closes: #674690, LP: #1004947) * apt-pkg/cacheiterators.h: - add an IsMultiArchImplicit() method for Dep- and PrvIterator [ Justin B Rye ] * doc/apt-cdrom.8.xml: - replace CDROM with the proper CD-ROM in text - correct disc vs. disk issues * doc/apt-extracttemplates.1.xml: - debconf is not DebConf * doc/apt-get.8.xml: - move dselect-upgrade below dist-upgrade - review and fix spelling issues * doc/apt-ftparchive.8.xml, doc/apt-config.8.xml, doc/apt-key.8.xml, doc/apt-mark.8.xml, doc/apt_preferences.5.xml, doc/apt-secure.8.xml, doc/apt-sortpkgs.1.xml, sources.list.5.xml: - review and fix typo, grammar and style issues * doc/apt.conf.5.xml: - review and fix typo, grammar and style issues - rephrase APT::Immediate-Configuration and many others [ Sebastian Heinlein ] * cmdline/apt-key: - do not hardcode /etc but use Dir::Etc instead [ Robert Luberda ] * Polish manpage translation update (Closes: #675603) * doc/apt-mark.8.xml: - in hold, the option name is --file not --filename [ Christian Perrier ] * French program and manpage translation update * Danish program translation by Joe Hansen. Closes: #675605 [ Thibaut Girka ] * cmdline/apt-get.cc: - complain correctly about :any build-dep on M-A:none packages * apt-pkg/deb/deblistparser.cc: - add support for arch-specific qualifiers in dependencies -- Michael Vogt Mon, 11 Jun 2012 16:21:53 +0200 apt (0.9.5.1) unstable; urgency=low [ David Kalnischkies ] * apt-pkg/contrib/fileutl.cc: - dup() given compressed fd in OpenDescriptor if AutoClose is disabled as otherwise gzclose() and co will close it * doc/*.xml: - mark even more stuff as untranslateable and improve the markup here and there (no real text change) - use docbook DTD 4.5 instead of 4.2 to have valid docs [ Justin B Rye ] * doc/*.xml: - remove 'GNU/Linux' from 'Debian systems' strings as Debian has more systems than just GNU/Linux nowadays * doc/apt-cache.8.xml: - fix a typo as well as adding missing literal markup - three small rewordings for better english sentences -- Michael Vogt Thu, 24 May 2012 17:16:34 +0200 apt (0.9.5) unstable; urgency=low [ Chris Leick ] * proofreading of the manpage pot * German manpage translation update (Closes: #673294) [ David Kalnischkies ] * buildlib/podomain.mak: - ensure that all sources end up in the srclist so that we don't forget to extract half of the translation strings * buildlib/inttypes.h.in: - remove inttypes.h compatibility as providing such a c99 types compatibility conflicts with the usage of c99 type long long * apt-pkg/contrib/mmap.cc: - have a dummy SyncToFd around in case of ReadOnly access to a compressed file as we otherwise on Close() do not delete[] the char buffer but munmap() it… (Closes: #673815) * debian/control: - moving debiandoc-sgml to Build-Depends-Indep was one step too much for the buildds as we still build two sgml files in arch:any * debian/rules: - move internal-solver as 'apt' to his friend dump-solver in /usr/lib/apt/solvers to avoid writing a manpage for it -- Michael Vogt Tue, 22 May 2012 16:14:22 +0200 apt (0.9.4) unstable; urgency=low [ David Kalnischkies ] * methods/http.cc: - after many years of pointless discussions disable http/1.1 pipelining by default as many webservers and proxies seem to be unable to conform to specification must's (rfc2616 section 8.1.2.2) (LP: #996151) - add spaces around PACKAGE_VERSION to fix FTBFS with -std=c++11 * apt-pkg/pkgcachegen.cc: - make IsDuplicatedDescription static so that it is really private as we don't need a symbol for it as it is not in a header * Makefile, buildlib/*.mak: - reshuffle dependencies so that parallel building seems to work - separate manpages from the rest of the doc building * prepare-release: - apt-inst version isn't apt versions, so don't override variable * debian/rules: - apt-utils packages manpages, so it should depend on build-doc - make apt and apt-utils packages depend on manpages instead of full doc * debian/control: - move doxygen and debiandoc-sgml to Build-Depends-Indep as docs are no longer build in the same target as the manpages * apt-pkg/acquire-methods.cc: - factor out into private Dequeue() to fix access to deleted pointer * apt-pkg/contrib/fileutl.cc: - ensure that we close compressed fds, wait for forks and such even if the FileFd itself is set to not autoclose the given Fd * cmdline/apt-get.cc: - use the host architecture, not the build architecture for matching of [architecture restrictions] in Build-Depends (Closes: #672927) * doc/makefile: - build manpages with the correct l10n.gentext.default.language setting to get the correct section titles provided by docbook * doc/po/de.po: - updated german manpage translation by Chris Leick, thanks! * apt-pkg/packagemanager.cc: - do not run into loop on new-pre-depends-breaks (Closes: #673536) * doc/*.xml: - add a few translator notes and reword some paragraphs to ensure that translators and users alike can better understand them (Closes: #669409) - in mark all options with