[ubuntu/xenial-security] apt 1.2.29ubuntu0.1 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Tue Jan 22 12:13:21 UTC 2019 

apt (1.2.29ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: content injection in http method (CVE-2019-3462)
    (LP: #1812353)

apt (1.2.29) xenial; urgency=medium

  * Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scripts.
    Some post-invoke scripts install packages, which fails because
    the environment variable is not set. This sets the variable for
    all three kinds of scripts {pre,post-}invoke and pre-install-pkgs,
    but we will only allow post-invoke at a later time.
    (LP: #1796808)

apt (1.2.28) xenial; urgency=medium

  [ Julian Andres Klode ]
  * apt.conf.autoremove: Add linux-cloud-tools to list (LP: #1698159)
  * Add support for dpkg frontend lock (Closes: #869546) (LP: #1781169)
  * Set DPKG_FRONTEND_LOCKED as needed when doing selection changes
  * http: Stop pipeline after close only if it was not filled before
    (LP: #1794957)
  * pkgCacheFile: Only unlock in destructor if locked before (LP: #1794053)
  * Update libapt-pkg5.0 symbols for frontend locking

  [ David Kalnischkies ]
  * Support records larger than 32kb in 'apt show' (Closes: #905527)
    (LP: #1787120)

apt (1.2.27) xenial; urgency=medium

  [ David Kalnischkies ]
  * don't hang if multiple sources use unavailable method (Closes: 870675)
    (LP: #1762766)

  [ Julian Andres Klode ]
  * Fix lock counting in debSystem (LP: #1778547)
  * apt.conf.autoremove: Catch some new Ubuntu module packages (LP: #1778551)

apt (1.2.26) xenial; urgency=medium

  * Revert "http: A response with Content-Length: 0 has no content"
    - broke Content-Length: 0 redirects (in xenial only) (LP: #1751225)
  * travis: Migrate to Docker to make CI work again

apt (1.2.25) xenial; urgency=medium

  * Microrelease covering 1.4.7 (LP: #1702326) and 1.4.8

  [ Robert Luberda ]
  * fix a "critical" typo in old changelog entry (Closes: 866358)

  [ David Kalnischkies ]
  * use port from SRV record instead of initial port
  * don't ask an uninit _system for supported archs (LP: #1613184)

  [ Julian Andres Klode ]
  * Reset failure reason when connection was successful
  * http: A response with Content-Length: 0 has no content
  * apt-daily: Pull in network-online.target in service, not timer
    (LP: #1716973)

  [ Balint Reczey ]
  * Gracefully terminate process when stopping apt-daily-upgrade (LP: #1690980)

apt (1.2.24) xenial; urgency=medium

  * Microrelease covering fixes of 1.4.6
  * Fix parsing of or groups in build-deps with ignored packages (LP: #1694697)
  * apt.systemd.daily: Use unattended-ugrade --download-only if available.
    Instead of passing -d, which enables a debugging mode; check if
    unattended-upgrade supports an option --download-only (which is yet
    to be implemented) and use that (Closes: #863859)

apt (1.2.23) xenial; urgency=medium

  * Microrelease covering fixes of 1.4.4

  [ Alan Jenkins ]
  * apt.systemd.daily: fix error from locking code (Closes: #862567)

apt (1.2.22) xenial; urgency=medium

  [ Julian Andres Klode ]
  * Run unattended-upgrade -d in download part
  * apt.systemd.daily: Add locking
  * Split apt-daily timer into two (LP: #1686470)

  [ Matt Kraai ]
  * bash-completion: Fix spelling of autoclean (Closes: #861846)

apt (1.2.21) xenial; urgency=medium

  * Microrelease covering fixes of 1.4 and 1.4.1

  [ Julian Andres Klode ]
  * Ignore \.ucf-[a-z]+$ like we do for \.dpkg-[a-z]+$
  * systemd: Rework timing and add After=network-online (was LP #1615482)

  [ David Kalnischkies ]
  * Fix and avoid quoting in CommandLine::AsString (LP: #1672710)

  [ Unit 193 ]
  * apt-ftparchive: Support '.ddeb' dbgsym packages

apt (1.2.20) xenial; urgency=medium

  * Microrelease covering fixes of 1.4~rc2 (LP: #1668285)

  [ David Kalnischkies ]
  * don't install new deps of candidates for kept back pkgs
  * keep Release.gpg on untrusted to trusted IMS-Hit (Closes: 838779)
    (LP: #1657440)
  * reset HOME, USER(NAME), TMPDIR & SHELL in DropPrivileges (Closes: 842877)
  * add TMP/TEMP/TEMPDIR to the TMPDIR DropPrivileges dance
  * let {dsc,tar,diff}-only implicitly enable download-only
  * don't show update stats if cache generation is disabled
  * don't lock dpkg in 'apt-get clean'
  * don't lock dpkg in update commands
  * avoid validate/delete/load race in cache generation
  * remove 'old' FAILED files in the next acquire call (Closes: 846476)
  * stop rred from leaking debug messages on recovered errors (Closes: #850759)

  [ Paul Wise ]
  * show output as documented for APT::Periodic::Verbose 2 (Closes: 845599)

  [ John R. Lenton ]
  * bash-completion: Only complete understood file paths for install
    (LP: #1645815)

  [ Lukasz Kawczynski ]
  * Honour Acquire::ForceIPv4/6 in the https transport

  [ Julian Andres Klode ]
  * basehttp: Only read Content-Range on 416 and 206 responses (LP: #1657567)
  * Only merge acquire items with the same meta key (Closes: #838441)
  * Do not package names representing .dsc/.deb/... files (Closes: #854794)
  * Don't use -1 fd and AT_SYMLINK_NOFOLLOW for faccessat()
    Thanks to James Clarke for debugging these issues

apt (1.2.19) xenial; urgency=medium

  * https: Quote path in URL before passing it to curl (LP: #1651923)

apt (1.2.18) xenial; urgency=high

  * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
    Thanks to Jann Horn, Google Project Zero for reporting the issue
    (LP: #1647467)
  * gpgv: Flush the files before checking for errors

apt (1.2.17) xenial; urgency=medium

  [ David Kalnischkies ]
  * apt-key: warn instead of fail on unreadable keyrings (LP: #1642386)
  * show apt-key warnings in apt update (Closes: 834973)

  [ Julian Andres Klode ]
  * test-releasefile-verification: installaptold: Clean up before run

apt (1.2.16) xenial; urgency=medium

  [ David Kalnischkies ]
  * avoid changing the global LC_TIME for Release writing
  * use de-localed std::put_time instead rolling our own
  * accept only the expected UTC timezones in date parsing (Closes: 819697)
  * avoid std::get_time usage to sidestep libstdc++6 bug (LP: #1593583)
  * imbue datetime parsing with C.UTF-8 locale (Closes: 828011)
  * prevent C++ locale number formatting in text APIs (try 2) (Closes: 832044)
  * prevent C++ locale number formatting in text APIs (try 3) (LP: #1611010)
    (LP: #1592817)
  * imbue .diff/Index parsing with C.UTF-8 as well

  [ Julian Andres Klode ]
  * Use C locale instead of C.UTF-8 for protocol strings
  * Add shippable.yml for CI on Shippable
  * Revert "if the FileFd failed already following calls should fail, too"
    (LP: #1641905)

Date: 2019-01-18 19:56:21.813026+00:00
Changed-By: Julian Andres Klode <julian.klode at canonical.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/apt/1.2.29ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list