lp:ubuntu/oneiric-security/apt

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

174. By Marc Deslauriers on 2013-03-13

* SECURITY UPDATE: InRelease verification bypass
  - CVE-2013-1051

[ David Kalnischk ]
[ Michael Vogt ]
* apt-pkg/deb/debmetaindex.cc,
  test/integration/test-bug-595691-empty-and-broken-archive-files,
  test/integration/test-releasefile-verification:
  - disable InRelease downloading until the verification issue is
    fixed, thanks to Ansgar Burchardt for finding the flaw

173. By Michael Vogt on 2012-12-04

* SECURITY UPDATE: change permissions of
  /var/log/apt/term.log to 0640 (LP: #975199)
  - CVE-2012-0961

172. By Jamie Strandboge on 2012-06-15

* SECURITY UPDATE: Disable apt-key net-update for now, as validation
  code is still insecure
  - cmdline/apt-key: exit 1 immediately in net_update()
  - CVE-2012-0954
  - LP: #1013639

171. By Jamie Strandboge on 2012-06-14

adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
Marc Deslauriers. (LP: #1013128)

170. By Marc Deslauriers on 2012-03-05

* SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
  - CVE-2012-0214
* This packages does _not_ contain the changes from 0.8.16~exp5ubuntu13.1
  in oneiric-proposed.

[ David Kalnischkies ]
* apt-pkg/acquire-item.cc:
  - remove 'old' InRelease file if we can't get a new one before
    proceeding with Release.gpg to avoid the false impression of a still
    trusted repository by a (still present) old InRelease file.
    Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)

169. By Michael Vogt on 2011-10-06

[ Adam Conrad ]
* On armel, call update-apt-xapian-index with '-u' to keep the CPU
  and I/O usage low. We would do this on all arches, but there's a
  regression risk here, but that's better than killing slow systems.

[ Michael Vogt ]
* cmdline/apt-key:
  - fix apt-key net-update, thanks to Marc Deslauriers and
    Adam Conrad for the code review (LP: #857472)

168. By Michael Vogt on 2011-09-26

[ David Kalnischkies ]
* apt-pkg/deb/deblistparser.cc:
  - fix crash when the dynamic mmap needs to be remapped during
    LoadReleaseInfo (LP: #854090)

167. By Michael Vogt on 2011-09-22

[ Colin Watson ]
* ftparchive/cachedb.cc:
  - fix buffersize in bytes2hex

[ Marc Deslauriers ]
* SECURITY UPDATE: Disable apt-key net-update for now, as validation
  code is insecure.
  - cmdline/apt-key: exit immediately out of net_update().
  - CVE number pending

166. By Michael Vogt on 2011-09-20

* methods/https.cc:
  - cleanup broken downloads properly (just like http)

165. By Michael Vogt on 2011-09-16

[ Michael Vogt ]
* apt-pkg/acquire-item.h, apt-pkg/deb/debmetaindex.cc:
  - fix fetching translated package descriptions (including the newly
    stripped out english ones) by adding OptionalSubIndexTarget

[ David Kalnischkies ]
* apt-pkg/acquire-item.cc:
  - if no Release.gpg file is found try to verify with hashes,
    but do not fail if a hash can't be found
* apt-pkg/indexrecords.cc:
  - fix Acquire::Max-ValidTime option by interpreting it really
    as seconds as specified in the manpage and not as days
  - add an Acquire::Min-ValidTime option (Closes: #640122)
* doc/apt.conf.5.xml:
  - reword Acquire::Max-ValidTime documentation to make clear
    that it doesn't provide the new Min-ValidTime functionality