apt (1.2.15ubuntu0.2) xenial-security; urgency=high * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252) Thanks to Jann Horn, Google Project Zero for reporting the issue (LP: #1647467) * gpgv: Flush the files before checking for errors -- Julian Andres Klode Thu, 08 Dec 2016 15:28:08 +0100 apt (1.2.15) xenial; urgency=medium New micro release with bug fixes up to (and including) 1.3.1 (LP: #1638021) [ Julian Andres Klode ] * methods/ftp: Cope with weird PASV responses. Thanks to Lukasz Stelmach for the initial patch (Closes: #420940) * Fix buffer overflow in debListParser::VersionHash() (Closes: #828812) * cache: Bump minor version to 6 * indextargets: Check that cache could be built before using it (Closes: #829651) * gpgv: Unlink the correct temp file in error case * fileutl: empty file support: Avoid fstat() on -1 fd and check result * Ignore SIGINT and SIGQUIT for Pre-Install hooks * install-progress: Call the real ::fork() in our fork() method * Accept --autoremove as alias for --auto-remove * apt-inst: debfile: Pass comp. Name to ExtractTar, not Binary * changelog: Respect Dir setting for local changelog getting * Fix segfault and out-of-bounds read in Binary fields * Merge translations from 1.3~rc3 * TagFile: Fix off-by-one errors in comment stripping * Base256ToNum: Fix uninitialized value * VersionHash: Do not skip too long dependency lines * Do not read stderr from proxy autodetection scripts [ Nicolas Le Cam ] * Use the ConditionACPower feature of systemd in the apt-daily service (Closes: #827930) [ David Kalnischkies ] * close server if parsing of header field failed * don't do atomic overrides with failed files (Closes: 828908) * if reading of autobit state failed, let write fail * write auto-bits before calling dpkg & again after if needed * factor out Pkg/DepIterator prettyprinters into own header * protect only the latest same-source providers from autoremove * reinstalling local deb file is no downgrade * do not treat same-version local debs as downgrade * avoid 416 response teardown binding to null pointer * don't change owner/perms/times through file:// symlinks * report all instead of first error up the acquire chain * keep trying with next if connection to a SRV host failed * call flush on the wrapped writebuffered FileFd * verify hash of input file in rred * use proper warning for automatic pipeline disable * rred: truncate result file before writing to it (Closes: #831762) * if the FileFd failed already following calls should fail, too * pass --force-remove-essential to dpkg only if needed * allow user@host (aka: no password) in URI parsing * drop incorrect const attribute from DirectoryExists (LP: 1473674) * http(s): allow empty values for header fields (Closes: 834048) * don't try pipelining if server closes connections (Closes: #832113) * don't loop on pinning pkgs from absolute debs by regex (Closes: 835818) * try not to call memcpy with length 0 in hash calculations * abort connection on '.' target replies in SRV [ Andrew Patterson ] * Add kernels with "+" in the package name to APT::NeverAutoRemove (Closes: #830159) [ Mert Dirik ] * Turkish program translation update (Closes: 832039) [ Zhou Mo ] * zh_CN.po: update simplified chinese translation -- Julian Andres Klode Mon, 31 Oct 2016 15:29:08 +0100 apt (1.2.14) unstable; urgency=medium [ Julian Andres Klode ] * New micro release (LP: #1595177) [ Petter Reinholdtsen ] * Norwegian Bokmål program translation update (Closes: 827067) [ David Kalnischkies ] * do not error if auto-detect-proxy cmd has no output (Closes: 827713) * source: if download is skipped, don't try to unpack * ensure filesize of deb is included in the hashes list [ Dominic Benson ] * Reinstate caching of file hashes in apt-ftparchive (Closes: #806924) -- Julian Andres Klode Wed, 22 Jun 2016 14:54:48 +0200 apt (1.2.13) unstable; urgency=medium [ David Kalnischkies ] * fail instead of segfault on unreadable config files (Closes: 824503) * prevent C++ locale number formatting in text APIs (Closes: #825396) * apt-key: change to / before find to satisfy its CWD needs. Thanks to Samuel Thibault for 'finding' the culprit! (Closes: 826043) * do not hang on piped input in PipedFileFdPrivate * don't leak an FD in lz4 (de)compression * don't leak FD in AutoProxyDetect command return parsing [ Julian Andres Klode ] * Provide complete apt bash completion. Thanks to Elias Fröhner and Svyatoslav Gryaznov for the initial work (LP: #1573547) [ Zhou Mo ] * zh_TW.po: remove several fuzzy tags after review [ Yuri Kozlov ] * Russian program translation update (Closes: 824702) [ Takuma Yamada ] * Japanese program translation update (Closes: 826291) -- Julian Andres Klode Sat, 11 Jun 2016 17:28:25 +0200 apt (1.2.12) unstable; urgency=medium [ Patrick Cable ] * refactored no_proxy code to work regardless of where https proxy is set [ James McCoy ] * deb822: Restore support for -{Add,Remove} [ David Kalnischkies ] * don't show NO_PUBKEY warning if repo is signed by another key (Closes: 618445) * allow redirection for items without a space in the desc again * don't sent uninstallable rc-only versions via EDSP * respect user pinning in M-A:same version (un)screwing [ Julian Andres Klode ] * update: Run Post-Invoke-Success if not all sources failed * debian/gbp.conf: Set debian-branch to 1.2.y [ Frans Spiesschaert ] * Dutch program translation update (Closes: 823976) -- Julian Andres Klode Wed, 11 May 2016 10:56:53 +0200 apt (1.2.11) unstable; urgency=medium [ David Kalnischkies ] * ensure transaction states are changed only once * stop handling items in doomed transactions. Thanks to Barr Detwix & Vincent Lefevre for log files (Closes: 817240) * do not require non-broken systems in 'upgrade' * detect compressed status files on extension again * recheck Pre-Depends satisfaction in SmartConfigure (LP: #1569099) * fix Alt-Filename handling of file method * allow uncompressed files to be empty in store again * silently skip acquire of empty index files * ensure outdated files are dropped without lists-cleanup [ Kelemen Gábor ] * Hungarian program translation update (Closes: 820638) -- Julian Andres Klode Mon, 25 Apr 2016 15:23:49 +0200 apt (1.2.10) unstable; urgency=medium [ Zhou Mo ] * zh_CN.po: update simplified Chinese translation. (100%) [ Julian Andres Klode ] * test-apt-download-progress: Use a larger file for testing * Allow lowering trust level of a hash via config [ Michael Vogt ] * Use systemd.timer instead of a cron job (Closes: #600262, #709675, #663290) (LP: #246381, #727685) [ David Kalnischkies ] * use buffered writing for InRelease splitting [ Takuma Yamada ] * Japanese program translation update (Closes: 819938) -- Michael Vogt Tue, 05 Apr 2016 20:23:47 +0200 apt (1.2.9) unstable; urgency=high [ David Kalnischkies ] * drop confusing comma from no strong hash message [ Julian Andres Klode ] * Do not mark packages for keep that we want to remove (LP: #1562402) (This fixes some upgrades involving renames where the old package is removed) -- Julian Andres Klode Sun, 27 Mar 2016 01:26:51 +0100 apt (1.2.8) unstable; urgency=medium [ Michael Vogt ] * Get accurate progress reporting in apt update again [ Julian Andres Klode ] * Report non-transient errors as errors, not as warnings * methods/gpgv: Rewrite error handling and message. Thanks to Ron Lee for wording suggestions * Use descriptive URIs in 104 Warning messages * cachefile: Only set members that were initialized successfully (Closes: #818628) * Update symbols file [ David Kalnischkies ] * do not strip epochs from state version strings (Closes: 818162) * properly check for "all good sigs are weak" (Closes: 818910) * handle gpgv's weak-digests ERRSIG [ Zhou Mo ] * zh_CN.po: update simplified Chinese translation. (Closes: #818639) [ Takuma Yamada ] * Japanese manpage translation update (Closes: 818950) -- Julian Andres Klode Thu, 24 Mar 2016 19:31:24 +0100 apt (1.2.7) unstable; urgency=medium "Caesar is dead" [ Frans Spiesschaert ] * Dutch program translation update (Closes: 817060) * Dutch manpages translation update (Closes: 817062) [ Julian Andres Klode ] * Use native architecture instead of amd64 for build-dep-purge test * Do not consider SHA1 usable * Test that SHA1-only .diff/Index files are not used * test: Use SHA512 digests for GPG, reject SHA1-based signatures * methods/gpgv: Reject weak digest algorithms * apt-pkg/acquire-worker.cc: Introduce 104 Warning message * methods/gpgv: Warn about SHA1 (and RIPEMD-160) [ David Kalnischkies ] * require $(HASH)-Download field in .diff/Index files * flush line-clearing on progress stop before post-invoke (Closes: 793672) * enforce verify of filesize in 'apt-get source' [ Manuel "Venturi" Porras Peralta ] * Spanish apt-mark translation fix (Closes: 817999) [ Zhou Mo ] * zh_CN.po: fix translation bug. (Closes: #818177) [ Michael Vogt ] * Fix bug where the problemresolve can put a pkg into a heisenstate (LP: #1550741) -- Julian Andres Klode Tue, 15 Mar 2016 19:20:18 +0100 # For older changelog entries, run 'apt-get changelog libapt-pkg5.0'