Last commit made on 2020-05-11
Get this branch:
git clone -b ubuntu/eoan

Branch merges

Branch information


Recent commits

69c2ed0... by Julian Andres Klode

Sponsor 1.9.0ubuntu1.4

c5fc32b... by Dave Jones

Don't duplicate disabled sources during add()

When calling SourcesList.add don't duplicate disabled sources. Continue
to permit enabling disabled sources during addition, but not disabling
enabled sources.

Tests are included for both duplicate suppression and the enabling
functionality (which didn't seem to be covered by the existing tests),
as well as tests for pos.

LP: #1311056

ac36005... by Marc Deslauriers

Import Debian version 1.9.0ubuntu1.3

python-apt (1.9.0ubuntu1.3) eoan-security; urgency=medium

  * SECURITY REGRESSION: crash with ubuntu-release-upgrader (LP: #1860606)
    - apt/ make allow_unauthenticated argument to
      fetch_archives() optional.

2ad394c... by Julian Andres Klode

Import Debian version 1.9.0ubuntu1.2

python-apt (1.9.0ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: Check that repository is trusted before downloading
    files from it (LP: #1858973)
    - apt/ Add checks to fetch_archives() and commit()
    - apt/ Add checks to fetch_binary() and fetch_source()
    - CVE-2019-15796
  * SECURITY UPDATE: Do not use MD5 for verifying downloadeds
    (Closes: #944696) (#LP: #1858972)
    - apt/ Use all hashes when fetching packages, and
      check that we have trusted hashes when downloading
    - CVE-2019-15795
  * To work around the new checks, the parameter allow_unauthenticated=True
    can be passed to the functions. It defaults to the value of the
    APT::Get::AllowUnauthenticated option.
    - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1), as it will have
      to set that parameter after having done validation.
  * Automatic changes and fixes for external regressions:
    - Adjustments to test suite and CI to fix CI regressions
    - Automatic mirror list update

62901bf... by Julian Andres Klode

Release 1.9.0ubuntu1.1

197c4d4... by Julian Andres Klode

Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu28.1)

as it will have to set that parameter after having done validation.

614ded6... by Julian Andres Klode

apt/ Check for unauthenticated in fetch_archives/commit

This follows the same behavior as for fetch_binary() /
fetch_source(), it is a follow-up to

LP: #1858973

1.8 backport: Remove with InstallProgress()

10b0eb6... by Julian Andres Klode Add test case for security bugs

This checks all 4 variants of signed x usable hashes, by builting
a package each. And then checks for all variants of the
allow_unauthenticated parameter.

We need to provide assertRaisesRegex for Pythons < 3.1, so we
can test there as well.

0d76559... by Julian Andres Klode

apt/package: Add allow_unauthenticated parameter

(cherry picked from commit 59a26938489af8bf4e4c326c4d50ff5ba2ba9f85)

bbfe71e... by Julian Andres Klode

Version.fetch_{binary,source}: Check that the repository is trusted

Only fetch binaries and sources from trusted repositories, as
otherwise the hashes are fairly meaningless.

(cherry picked from commit feaf536a2fc4b76e74073f27e868f60fcb3cb8a8)

LP: #1858973