Last commit made on 2020-05-11
Get this branch:
git clone -b 1.6.y

Branch merges

Branch information


Recent commits

2b17f82... by Julian Andres Klode

Sponsor 1.6.5ubuntu0.3

19bc008... by Dave Jones

Don't duplicate disabled sources during add()

When calling SourcesList.add don't duplicate disabled sources. Continue
to permit enabling disabled sources during addition, but not disabling
enabled sources.

Tests are included for both duplicate suppression and the enabling
functionality (which didn't seem to be covered by the existing tests),
as well as tests for pos.

LP: #1311056

cceda9f... by Marc Deslauriers

Import Debian version 1.6.5ubuntu0.2

python-apt (1.6.5ubuntu0.2) bionic-security; urgency=medium

  * SECURITY REGRESSION: crash with ubuntu-release-upgrader (LP: #1860606)
    - apt/ make allow_unauthenticated argument to
      fetch_archives() optional.

38d370c... by Julian Andres Klode

Import Debian version 1.6.5ubuntu0.1

python-apt (1.6.5ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/ Add checks to fetch_archives() and commit()
    - apt/ Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/ Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu21.2), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

83b029e... by Julian Andres Klode

Release 1.6.5

afe9f2c... by Julian Andres Klode

Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu19.2)

as it will have to set that parameter after having done validation.

(cherry picked from commit 9b97a604a235ef25adabd42d5db099cdadf37688)

12b3b72... by Julian Andres Klode

apt/ Check for unauthenticated in fetch_archives/commit

This follows the same behavior as for fetch_binary() /
fetch_source(), it is a follow-up to

LP: #1858973

1.8 backport: Remove with InstallProgress()

(cherry picked from commit b6a5b814074e78f9b78f171ee7ab5a55fcb9dda5)

ce63522... by Julian Andres Klode Add test case for security bugs

This checks all 4 variants of signed x usable hashes, by builting
a package each. And then checks for all variants of the
allow_unauthenticated parameter.

We need to provide assertRaisesRegex for Pythons < 3.1, so we
can test there as well.

(cherry picked from commit 8b527257c55b88310c315b5c588940626cf206ef)

5f4d711... by Julian Andres Klode

apt/package: Add allow_unauthenticated parameter

(cherry picked from commit 59a26938489af8bf4e4c326c4d50ff5ba2ba9f85)
(cherry picked from commit 51eac2e007911b52630881bc228d8bb2505962a3)

fac8c9c... by Julian Andres Klode

Version.fetch_{binary,source}: Check that the repository is trusted

Only fetch binaries and sources from trusted repositories, as
otherwise the hashes are fairly meaningless.

(cherry picked from commit feaf536a2fc4b76e74073f27e868f60fcb3cb8a8)

LP: #1858973

(cherry picked from commit 01c56933d07ffdf24351396b99ce29c3162abf4d)