* Merge from Debian unstable (LP: #933148), remaining changes:
- Demote Recommends to Suggests:
+ libcrypt-ssleay-perl: only needed for a corner case (uscan on SSL
download sites), wasn't installed by default in previous releases
either, and seems quite dead upstream; universe only.
+ debian-keyring: not useful enough in Ubuntu; universe only.
+ equivs: too much of a hack to install by default; universe only.
+ libsoap-lite-perl: only needed for one less common command ("select")
for bts, which isn't useful for Ubuntu itself, and pulls in a lot of
other universe Perl libraries; universe only.
- scripts/debchange.{pl,1}:
+ Adjust --security template for Ubuntu.
+ Add -U/--upstream flag that forces original "just increment
the end" behaviour; Ubuntu is upstream for some pieces of software.
+ Add --distributor= and DEBCHANGE_DISTRIBUTOR to override lsb_release
output.
+ Default to "precise" as distribution.
+ Add "ubuntu1" to version string for new versions, with tweaks for
special cases.
+ Add -R/--rebuild flag for Ubuntu's no-change rebuilds.
+ Don't use the last distribution in debian/changelog when doing
"dch -r" on Ubuntu. "Just because it was last uploaded to jaunty
doesn't mean that's the right thing to do now."
- Add test/debchange.pl, test/Makefile: debchange test suite.
- Rename XS-Vcs-* to XS-Debian-Vcs-*.
devscripts (2.11.4) unstable; urgency=high
* Urgency "high" for security fixes.
[ James McCoy ]
* bts: Revert usertags' handling of more than one +/-/=. Only the first one
is relevant.
[ Ryan Niebur ]
* dget: when finding the sources.list entry for the repository to
download a package from, match any port with the correct hostname
because apt-cache policy does not output port numbers in URLs
(Closes: #601951)
[ Adam D. Barratt ]
* debdiff:
+ Fix a regression in the handling of embedded tarballs (a side
effect of the changes introduced to resolve #571528).
+ Extend the changes from #571528 to cover more situations where
user or file input is passed to an external program. Fixes
CVE-2012-2012 (and any instance of CVE-2012-2011 not already
covered by #571528).
[ Paul Wise ]
* suspicious-source: Also ignore mercurial and darcs VCS directories
(Closes: #659966).
[ Benjamin Drung ]
* suspicious-source: Add inode/x-empty to whitelist of MIME types
(Closes: #659946).
[ Raphael Geissert ]
* debdiff:
+ Remove undocumented feature treating extensionless files as if
they were packages (Closes: #659559)
+ Add missing chdir for dpkg-source and remove extraneous quoting
of --exclude parameters.
+ Fix CVE-2012-0210 (insufficient input sanitising reading .dsc
and .changes files).
-- Tyler Hicks <email address hidden> Wed, 15 Feb 2012 16:40:33 -0600
This bug was fixed in the package devscripts - 2.11.4ubuntu1
---------------
devscripts (2.11.4ubuntu1) precise; urgency=low
* Merge from Debian unstable (LP: #933148), remaining changes: ssleay- perl: only needed for a corner case (uscan on SSL debchange. {pl,1}: DISTRIBUTOR to override lsb_release
- Demote Recommends to Suggests:
+ libcrypt-
download sites), wasn't installed by default in previous releases
either, and seems quite dead upstream; universe only.
+ debian-keyring: not useful enough in Ubuntu; universe only.
+ equivs: too much of a hack to install by default; universe only.
+ libsoap-lite-perl: only needed for one less common command ("select")
for bts, which isn't useful for Ubuntu itself, and pulls in a lot of
other universe Perl libraries; universe only.
- scripts/
+ Adjust --security template for Ubuntu.
+ Add -U/--upstream flag that forces original "just increment
the end" behaviour; Ubuntu is upstream for some pieces of software.
+ Add --distributor= and DEBCHANGE_
output.
+ Default to "precise" as distribution.
+ Add "ubuntu1" to version string for new versions, with tweaks for
special cases.
+ Add -R/--rebuild flag for Ubuntu's no-change rebuilds.
+ Don't use the last distribution in debian/changelog when doing
"dch -r" on Ubuntu. "Just because it was last uploaded to jaunty
doesn't mean that's the right thing to do now."
- Add test/debchange.pl, test/Makefile: debchange test suite.
- Rename XS-Vcs-* to XS-Debian-Vcs-*.
devscripts (2.11.4) unstable; urgency=high
* Urgency "high" for security fixes.
[ James McCoy ]
* bts: Revert usertags' handling of more than one +/-/=. Only the first one
is relevant.
[ Ryan Niebur ]
* dget: when finding the sources.list entry for the repository to
download a package from, match any port with the correct hostname
because apt-cache policy does not output port numbers in URLs
(Closes: #601951)
[ Adam D. Barratt ]
* debdiff:
+ Fix a regression in the handling of embedded tarballs (a side
effect of the changes introduced to resolve #571528).
+ Extend the changes from #571528 to cover more situations where
user or file input is passed to an external program. Fixes
CVE-2012-2012 (and any instance of CVE-2012-2011 not already
covered by #571528).
[ Paul Wise ]
* suspicious-source: Also ignore mercurial and darcs VCS directories
(Closes: #659966).
[ Benjamin Drung ]
* suspicious-source: Add inode/x-empty to whitelist of MIME types
(Closes: #659946).
[ Raphael Geissert ]
* debdiff:
+ Remove undocumented feature treating extensionless files as if
they were packages (Closes: #659559)
+ Add missing chdir for dpkg-source and remove extraneous quoting
of --exclude parameters.
+ Fix CVE-2012-0210 (insufficient input sanitising reading .dsc
and .changes files).
-- Tyler Hicks <email address hidden> Wed, 15 Feb 2012 16:40:33 -0600