python-apt:ubuntu/eoan

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

69c2ed0... by Julian Andres Klode on 2020-05-11

Sponsor 1.9.0ubuntu1.4

c5fc32b... by Dave Jones on 2019-12-10

Don't duplicate disabled sources during add()

When calling SourcesList.add don't duplicate disabled sources. Continue
to permit enabling disabled sources during addition, but not disabling
enabled sources.

Tests are included for both duplicate suppression and the enabling
functionality (which didn't seem to be covered by the existing tests),
as well as tests for pos.

LP: #1311056

ac36005... by Marc Deslauriers on 2020-01-22

Import Debian version 1.9.0ubuntu1.3

python-apt (1.9.0ubuntu1.3) eoan-security; urgency=medium

  * SECURITY REGRESSION: crash with ubuntu-release-upgrader (LP: #1860606)
    - apt/cache.py: make allow_unauthenticated argument to
      fetch_archives() optional.

2ad394c... by Julian Andres Klode on 2020-01-15

Import Debian version 1.9.0ubuntu1.2

python-apt (1.9.0ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/cache.py: Add checks to fetch_archives() and commit()
    - apt/package.py: Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/package.py: Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

62901bf... by Julian Andres Klode on 2019-12-13

Release 1.9.0ubuntu1.1

197c4d4... by Julian Andres Klode on 2020-01-10

Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1)

as it will have to set that parameter after having done validation.

614ded6... by Julian Andres Klode on 2020-01-06

apt/cache.py: Check for unauthenticated in fetch_archives/commit

This follows the same behavior as for fetch_binary() /
fetch_source(), it is a follow-up to

CVE-2019-15796
LP: #1858973

1.8 backport: Remove with InstallProgress()

10b0eb6... by Julian Andres Klode on 2019-12-13

test_signed_usable.py: Add test case for security bugs

This checks all 4 variants of signed x usable hashes, by builting
a package each. And then checks for all variants of the
allow_unauthenticated parameter.

We need to provide assertRaisesRegex for Pythons < 3.1, so we
can test there as well.

0d76559... by Julian Andres Klode on 2019-12-12

apt/package: Add allow_unauthenticated parameter

(cherry picked from commit 59a26938489af8bf4e4c326c4d50ff5ba2ba9f85)

bbfe71e... by Julian Andres Klode on 2019-12-12

Version.fetch_{binary,source}: Check that the repository is trusted

Only fetch binaries and sources from trusted repositories, as
otherwise the hashes are fairly meaningless.

(cherry picked from commit feaf536a2fc4b76e74073f27e868f60fcb3cb8a8)

CVE-2019-15796
LP: #1858973