Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/oneiric-security/apt
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

174. By Marc Deslauriers

* SECURITY UPDATE: InRelease verification bypass
  - CVE-2013-1051

[ David Kalnischk ]
[ Michael Vogt ]
* apt-pkg/deb/debmetaindex.cc,
  - disable InRelease downloading until the verification issue is
    fixed, thanks to Ansgar Burchardt for finding the flaw

173. By Michael Vogt

* SECURITY UPDATE: change permissions of
  /var/log/apt/term.log to 0640 (LP: #975199)
  - CVE-2012-0961

172. By Jamie Strandboge

* SECURITY UPDATE: Disable apt-key net-update for now, as validation
  code is still insecure
  - cmdline/apt-key: exit 1 immediately in net_update()
  - CVE-2012-0954
  - LP: #1013639

171. By Jamie Strandboge

adjust apt-key to ensure no collisions on subkeys too. Patch thanks to
Marc Deslauriers. (LP: #1013128)

170. By Marc Deslauriers

* SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
  - CVE-2012-0214
* This packages does _not_ contain the changes from 0.8.16~exp5ubuntu13.1
  in oneiric-proposed.

[ David Kalnischkies ]
* apt-pkg/acquire-item.cc:
  - remove 'old' InRelease file if we can't get a new one before
    proceeding with Release.gpg to avoid the false impression of a still
    trusted repository by a (still present) old InRelease file.
    Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)

169. By Michael Vogt

[ Adam Conrad ]
* On armel, call update-apt-xapian-index with '-u' to keep the CPU
  and I/O usage low. We would do this on all arches, but there's a
  regression risk here, but that's better than killing slow systems.

[ Michael Vogt ]
* cmdline/apt-key:
  - fix apt-key net-update, thanks to Marc Deslauriers and
    Adam Conrad for the code review (LP: #857472)

168. By Michael Vogt

[ David Kalnischkies ]
* apt-pkg/deb/deblistparser.cc:
  - fix crash when the dynamic mmap needs to be remapped during
    LoadReleaseInfo (LP: #854090)

167. By Michael Vogt

[ Colin Watson ]
* ftparchive/cachedb.cc:
  - fix buffersize in bytes2hex

[ Marc Deslauriers ]
* SECURITY UPDATE: Disable apt-key net-update for now, as validation
  code is insecure.
  - cmdline/apt-key: exit immediately out of net_update().
  - CVE number pending

166. By Michael Vogt

* methods/https.cc:
  - cleanup broken downloads properly (just like http)

165. By Michael Vogt

[ Michael Vogt ]
* apt-pkg/acquire-item.h, apt-pkg/deb/debmetaindex.cc:
  - fix fetching translated package descriptions (including the newly
    stripped out english ones) by adding OptionalSubIndexTarget

[ David Kalnischkies ]
* apt-pkg/acquire-item.cc:
  - if no Release.gpg file is found try to verify with hashes,
    but do not fail if a hash can't be found
* apt-pkg/indexrecords.cc:
  - fix Acquire::Max-ValidTime option by interpreting it really
    as seconds as specified in the manpage and not as days
  - add an Acquire::Min-ValidTime option (Closes: #640122)
* doc/apt.conf.5.xml:
  - reword Acquire::Max-ValidTime documentation to make clear
    that it doesn't provide the new Min-ValidTime functionality

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.