python-apt:1.1.y-xenial

Last commit made on 2020-05-11
Get this branch:
git clone -b 1.1.y-xenial https://git.launchpad.net/python-apt

Branch merges

Branch information

Name:
1.1.y-xenial
Repository:
lp:python-apt

Recent commits

ab41467... by Julian Andres Klode

Spsonsor 1.1.0~beta1ubuntu0.16.04.9

53bb9b6... by Dave Jones

Don't duplicate disabled sources during add()

When calling SourcesList.add don't duplicate disabled sources. Continue
to permit enabling disabled sources during addition, but not disabling
enabled sources.

Tests are included for both duplicate suppression and the enabling
functionality (which didn't seem to be covered by the existing tests),
as well as tests for pos.

LP: #1311056

0117783... by Marc Deslauriers

Import Debian version 1.1.0~beta1ubuntu0.16.04.8

python-apt (1.1.0~beta1ubuntu0.16.04.8) xenial-security; urgency=medium

  * SECURITY REGRESSION: crash with ubuntu-release-upgrader (LP: #1860606)
    - apt/cache.py: make allow_unauthenticated argument to
      fetch_archives() optional.

564cd38... by Julian Andres Klode

Import Debian version 1.1.0~beta1ubuntu0.16.04.7

python-apt (1.1.0~beta1ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu14.2), as it will have
      to set that parameter after having done validation.
  * Necessary backports:
    - turn elements in apt_pkg.SourceRecords.files into a class, rather than
      a tuple (w/ legacy compat), so we can get to their hashes
    - add apt_pkg.HashStringList
    - add apt_pkg.Hashes.hashes
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

bda05a9... by Julian Andres Klode

Release 1.1.0~beta1ubuntu0.16.04.6

950ec95... by Julian Andres Klode

Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu14.1)

as it will have to set that parameter after having done validation.

(cherry picked from commit 9b97a604a235ef25adabd42d5db099cdadf37688)

c077bc2... by Julian Andres Klode

apt/cache.py: Check for unauthenticated in fetch_archives/commit

This follows the same behavior as for fetch_binary() /
fetch_source(), it is a follow-up to

CVE-2019-15796
LP: #1858973

1.8 backport: Remove with InstallProgress()

(cherry picked from commit b6a5b814074e78f9b78f171ee7ab5a55fcb9dda5)
(cherry picked from commit 1567b0aa475740f96dfb721be829db645bcf595e)

Backport changes in test: Enable the crashing tests.

3bdf006... by Julian Andres Klode

test_signed_usable.py: Add test case for security bugs

This checks all 4 variants of signed x usable hashes, by builting
a package each. And then checks for all variants of the
allow_unauthenticated parameter.

We need to provide assertRaisesRegex for Pythons < 3.1, so we
can test there as well.

(cherry picked from commit 8b527257c55b88310c315b5c588940626cf206ef)
(cherry picked from commit 315ec78ab98d16de2f8c36e8646bb9e11c26bcc6)

Backport to xenial: Set trusted=yes for signed repo, as signing check
does not work, because apt-key always uses host keys.

192dc55... by Julian Andres Klode

apt/package: Add allow_unauthenticated parameter

(cherry picked from commit 59a26938489af8bf4e4c326c4d50ff5ba2ba9f85)
(cherry picked from commit 51eac2e007911b52630881bc228d8bb2505962a3)
(cherry picked from commit 5f4d7114dc578142364c4cec05b0937856f5317b)

286d9f9... by Julian Andres Klode

Version.fetch_{binary,source}: Check that the repository is trusted

Only fetch binaries and sources from trusted repositories, as
otherwise the hashes are fairly meaningless.

(cherry picked from commit feaf536a2fc4b76e74073f27e868f60fcb3cb8a8)

CVE-2019-15796
LP: #1858973

(cherry picked from commit 01c56933d07ffdf24351396b99ce29c3162abf4d)
(cherry picked from commit fac8c9c31c8d63b51ecd57e366a667291aa2cf1b)