[ubuntu/artful-proposed] dpkg 1.18.24ubuntu1 (Accepted)
Adam Conrad
adconrad at ubuntu.com
Mon Jun 5 18:09:14 UTC 2017
dpkg (1.18.24ubuntu1) artful; urgency=medium
* Merge from current Debian testing; remaining Ubuntu changes:
- Change native source version/format mismatch errors into warnings
until the dust settles on Debian bug 737634 about override options.
- Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level
tools can get untranslated dpkg terminal log messages while at the
same time having translated debconf prompts.
- Special-case arm{el,hf} ELF objects in Shlibs/Objdump.pm for multilib.
- Map unqualified package names of multiarch-same packages to the native
arch instead of throwing an error, so that we don't break on upgrade
when there are unqualified names stored in the dpkg trigger database.
- Apply a workaround from mvo to consider ^rc packages as multiarch,
during the dpkg consistency checks. (see LP: 1015567 and 1057367).
- dpkg-gencontrol: Fix Package-Type override handling for ddeb support.
* scripts/Dpkg/Vendor/Ubuntu.pm: Drop hardening changes merged upstream.
* dpkg-buildpackage: Drop stale debian/files cleaning, solved differently.
dpkg (1.18.24) unstable; urgency=medium
[ Guillem Jover ]
* Add missing symbols to the libdpkg map file.
* Fix dpkg-shlibdeps to preserve the Dpkg::Shlibs::find_library() order
when scanning symbols/shlibs files. This was causing generation of bogus
dependencies when multiple packages provide the same SONAME on different
directories. Regression introduced in dpkg 1.18.17. Closes: #860979
* Make dpkg-maintscript-helper print all unowned files from a directory
when printing the error message, to ease debugging those problems after
the fact. Closes: #813454, #860238
Based on a patch by Bastien ROUCARIÈS <roucaries.bastien at gmail.com>.
* Add duplicate prevention code for debian/files to dpkg-genbuildinfo, so
that successive runs with different versions and equivalent build types
do not generate multiple .buildinfo entries to be uploaded, which is
similar to what dpkg-gencontrol is doing for .deb files.
* Fix conffile takeover handling during unpack in dpkg on --root or
on diversions. Closes: #837051, #858004
* Fix digest inference for shared conffiles, causing bogus takeover
unpack errors. Regression introduced in dpkg 1.16.9. Closes: #861217
* Improve tar entry metadata parsing in dpkg:
- Do not parse device numbers for non block nor char tar entry objects.
- Make the existing octal parser more robust, by checking for the
expected format of leading zeros or spaces, followed by any ASCII
octal characters (0-7), followed by zero or more space or NULs.
- Add support for base-256 encoded numeric fields, to support large
values, for UID/GID, device number, size and even signed timestamps.
This is necessary not only to be able to store larger values, but to
cover packages that can already be generated by dpkg-deb, given that
it uses the system GNU tar when building. Closes: #850834
* Architecture support:
- Add support for ARM64 ILP32. Closes: #824742
Thanks to Wookey <wookey at wookware.org>.
* Perl modules:
- Remove obsolete hardening-wrapper support from Dpkg::Vendor::Ubuntu.
Thanks to Adam Conrad <adconrad at 0c3.net>.
- Bump $Dpkg::Deps::VERSION to match the one documented in CHANGES.
- Ignore by default debian/files.new and debian/files for all source
formats in Dpkg::Source::Package, because these are generated files
with well known pathnames, part of the public interface, and with
dpkg-genbuildinfo always injecting .buildinfo entries into
debian/files, this meant this could disrupt previous workflows based
on not cleaning the source tree.
* Documentation:
- Many spelling fixes. Thanks to Josh Soref <jsoref at gmail.com>.
- Do not include mispellings in changelogs, as that makes detecting them
more difficult.
* Build system:
- Use libexec variable for auxiliary internal programs, and set it to
/usr/lib on Debian and derivatives.
- Check that the detected tar is a GNU tar.
- Check that the detected patch is a GNU patch, so that we get a directory
traversal resistant patch implementation. This fixes CVE-2017-8283 by
delegating those checks to patch(1), so that we trap blank-indented
diff hunks trying to escape from the source tree.
* Test suite:
- Add a test case for blank-indented patches which were the cause for
CVE-2017-8283.
- Handle files with non-zero sizes in c-tarextract libdpkg test code.
[ Updated programs translations ]
* Catalan (Guillem Jover).
* Czech (Miroslav Kure).
[ Updated dselect translations ]
* Catalan (Guillem Jover).
[ Updated scripts translations ]
* Catalan (Guillem Jover).
[ Updated man pages translations ]
* German (Helge Kreutzmann, David Rabel). Closes: #857449
* Spanish (Javier Fernández-Sanguino).
Date: Mon, 05 Jun 2017 11:35:51 -0600
Changed-By: Adam Conrad <adconrad at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/dpkg/1.18.24ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Jun 2017 11:35:51 -0600
Source: dpkg
Binary: dpkg libdpkg-dev dpkg-dev libdpkg-perl dselect
Architecture: source
Version: 1.18.24ubuntu1
Distribution: artful
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Adam Conrad <adconrad at ubuntu.com>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 813454 824742 837051 850834 857449 858004 860238 860979 861217
Changes:
dpkg (1.18.24ubuntu1) artful; urgency=medium
.
* Merge from current Debian testing; remaining Ubuntu changes:
- Change native source version/format mismatch errors into warnings
until the dust settles on Debian bug 737634 about override options.
- Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level
tools can get untranslated dpkg terminal log messages while at the
same time having translated debconf prompts.
- Special-case arm{el,hf} ELF objects in Shlibs/Objdump.pm for multilib.
- Map unqualified package names of multiarch-same packages to the native
arch instead of throwing an error, so that we don't break on upgrade
when there are unqualified names stored in the dpkg trigger database.
- Apply a workaround from mvo to consider ^rc packages as multiarch,
during the dpkg consistency checks. (see LP: 1015567 and 1057367).
- dpkg-gencontrol: Fix Package-Type override handling for ddeb support.
* scripts/Dpkg/Vendor/Ubuntu.pm: Drop hardening changes merged upstream.
* dpkg-buildpackage: Drop stale debian/files cleaning, solved differently.
.
dpkg (1.18.24) unstable; urgency=medium
.
[ Guillem Jover ]
* Add missing symbols to the libdpkg map file.
* Fix dpkg-shlibdeps to preserve the Dpkg::Shlibs::find_library() order
when scanning symbols/shlibs files. This was causing generation of bogus
dependencies when multiple packages provide the same SONAME on different
directories. Regression introduced in dpkg 1.18.17. Closes: #860979
* Make dpkg-maintscript-helper print all unowned files from a directory
when printing the error message, to ease debugging those problems after
the fact. Closes: #813454, #860238
Based on a patch by Bastien ROUCARIÈS <roucaries.bastien at gmail.com>.
* Add duplicate prevention code for debian/files to dpkg-genbuildinfo, so
that successive runs with different versions and equivalent build types
do not generate multiple .buildinfo entries to be uploaded, which is
similar to what dpkg-gencontrol is doing for .deb files.
* Fix conffile takeover handling during unpack in dpkg on --root or
on diversions. Closes: #837051, #858004
* Fix digest inference for shared conffiles, causing bogus takeover
unpack errors. Regression introduced in dpkg 1.16.9. Closes: #861217
* Improve tar entry metadata parsing in dpkg:
- Do not parse device numbers for non block nor char tar entry objects.
- Make the existing octal parser more robust, by checking for the
expected format of leading zeros or spaces, followed by any ASCII
octal characters (0-7), followed by zero or more space or NULs.
- Add support for base-256 encoded numeric fields, to support large
values, for UID/GID, device number, size and even signed timestamps.
This is necessary not only to be able to store larger values, but to
cover packages that can already be generated by dpkg-deb, given that
it uses the system GNU tar when building. Closes: #850834
* Architecture support:
- Add support for ARM64 ILP32. Closes: #824742
Thanks to Wookey <wookey at wookware.org>.
* Perl modules:
- Remove obsolete hardening-wrapper support from Dpkg::Vendor::Ubuntu.
Thanks to Adam Conrad <adconrad at 0c3.net>.
- Bump $Dpkg::Deps::VERSION to match the one documented in CHANGES.
- Ignore by default debian/files.new and debian/files for all source
formats in Dpkg::Source::Package, because these are generated files
with well known pathnames, part of the public interface, and with
dpkg-genbuildinfo always injecting .buildinfo entries into
debian/files, this meant this could disrupt previous workflows based
on not cleaning the source tree.
* Documentation:
- Many spelling fixes. Thanks to Josh Soref <jsoref at gmail.com>.
- Do not include mispellings in changelogs, as that makes detecting them
more difficult.
* Build system:
- Use libexec variable for auxiliary internal programs, and set it to
/usr/lib on Debian and derivatives.
- Check that the detected tar is a GNU tar.
- Check that the detected patch is a GNU patch, so that we get a directory
traversal resistant patch implementation. This fixes CVE-2017-8283 by
delegating those checks to patch(1), so that we trap blank-indented
diff hunks trying to escape from the source tree.
* Test suite:
- Add a test case for blank-indented patches which were the cause for
CVE-2017-8283.
- Handle files with non-zero sizes in c-tarextract libdpkg test code.
.
[ Updated programs translations ]
* Catalan (Guillem Jover).
* Czech (Miroslav Kure).
.
[ Updated dselect translations ]
* Catalan (Guillem Jover).
.
[ Updated scripts translations ]
* Catalan (Guillem Jover).
.
[ Updated man pages translations ]
* German (Helge Kreutzmann, David Rabel). Closes: #857449
* Spanish (Javier Fernández-Sanguino).
Checksums-Sha1:
4db6f84c6e9f353efdc7cdb79724e7c2e143c20e 2107 dpkg_1.18.24ubuntu1.dsc
1a30682adc52f6a64ab2f8ac2beb30ead0bc4d76 4542300 dpkg_1.18.24ubuntu1.tar.xz
8e5dc92d1f5db3887617baa09cf4e3b50a24745a 5788 dpkg_1.18.24ubuntu1_source.buildinfo
Checksums-Sha256:
b172c1c9bb6fc95f7f7c0e5b85412971767f7d62b36d734c9a6a561003ecbb42 2107 dpkg_1.18.24ubuntu1.dsc
434de41df64a47c631a656823453104f02c8ac6a04340096c18c0d5601bfcd03 4542300 dpkg_1.18.24ubuntu1.tar.xz
520a1718a8e80ba05c9cd19312cdb12b43c9d978f6b9b1d575d13a8351ebf7b8 5788 dpkg_1.18.24ubuntu1_source.buildinfo
Files:
493a279ef0f14513fd47266d2be23b70 2107 admin required dpkg_1.18.24ubuntu1.dsc
6b659c16909aeb0fcaee91b9650522fe 4542300 admin required dpkg_1.18.24ubuntu1.tar.xz
c990f282394a08600f0d038ec51acbed 5788 admin required dpkg_1.18.24ubuntu1_source.buildinfo
Original-Maintainer: Dpkg Developers <debian-dpkg at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJZNZ3TAAoJEINAGjCxzeWPPbgQAIpY32K9hcKqOeyxEt/q91X5
bvZmuY7EKwbBj8QMQXzqZAGCDPGm+MvsSeKRIQXKWjYVMGuOEpt6VqU8WQPDvsDd
6QT/Ofb/umaAtHL3LeXXdQvWAbSArH8LrG59fxYWFR+RdUyv6zprzHNg+QsKsspC
09cWT+5/bY1FWKKNNdEBPZrnjMPf7ioFSdbmywlbe9K6o4BcjX9t9eT+xPPvMi9+
iiVAzrbYAu/eGQtUdK4keJxFX9VrUeavh9OohGqr2UkD8N8NDRjDOqcM1XxCqVVJ
iN04gMULhj25buf/iVaqqeyzIe1REnq0yRAego9RTfXM0S4bHd0MQ/RbCQE4nl+h
gb1dSnCblUhHZYWFuWbD3MC1Lggknhx0s/wy45QuFj/+a5aFFSSJ7JS6va7NQGXa
uPaunY5htqMonQ/IpDFKBFbXmS1+nnYMMxRxTN9JPaGxEOP9eDom7Q3FNwxO9ukJ
LmG9Ov4WOslU5WLDJBC97v2fti24xvFOuGyn1qDJuKUPRJNWpoCSXdHUU0OnTREL
HkhFKTWjubFJPkkQKyDeNngxF25V8XLwMeCjE4YCd7muZfWOxphbQhOT7FgNgX1q
OFHbeZcRq12KIIdGbeOWzgBSYnndVqmFhcZQ3qwbr7Q0qKDS+9TzTJNDdkD/vWk2
/o979ZSght8Kk8ZcN6cD
=eVzi
-----END PGP SIGNATURE-----
More information about the Artful-changes
mailing list