[ubuntu/eoan-proposed] gvfs 1.41.91-1ubuntu1 (Accepted)
Iain Lane
iain.lane at canonical.com
Wed Aug 21 13:16:12 UTC 2019
gvfs (1.41.91-1ubuntu1) eoan; urgency=medium
* Revert upstream changes to port to fuse 3. This is in universe in Ubuntu
and we'll need to work out how to move over.
gvfs (1.41.91-1) experimental; urgency=medium
[ Simon McVittie ]
* Add bug number and CVE ID to previous changelog entry
[ Iain Lane ]
* debian/watch: Find unstable versions
* New upstream release
+ admin: Add query_info_on_read/write functionality (CVE-2019-12448)
+ admin: Allow changing file owner (CVE-2019-12447)
+ admin: Ensure correct ownership when moving to file:// uri
(CVE-2019-12449)
+ admin: Prevent core dumps when daemon is manually started
+ admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
+ afc: Remove assumptions about length of device UUID to support new
devices
+ afp: Fix afp backend crash when no username supplied
+ build: Add dependency on gsettings-desktop-schemas
+ build: Bump required meson version to 0.50.0
+ build: Define gvfs_rpath for libgvfsdaemon.so
+ build: Several meson improvements
+ daemon: Check that the connecting client is the same user
(CVE-2019-12795)
+ daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
+ daemon/udisks2: Handle lockdown option to disable writing
+ daemon: Unify some translatable strings
+ fuse: Adapt gvfsd-fuse to use fuse 3.x
+ fuse: Define RENAME_* macros when they are not defined
+ fuse: Remove max_write limit
+ gmountsource: Fix deadlocks in synchronous API
+ google: Check ownership in is_owner() without additional HTTP request
+ google: Disable deletion of non-empty directories
+ google: Do not enumerate volatile entries if title matches id
+ google: Fix crashes when deleting if the file isn't found
+ google: Fix issue with stale entries remaining after rename operation
+ google: Support deleting shared Google Drive files
+ proxy: Don't leak a GVfsDBusDaemon
+ udisks2: Change display name for crypto_unknown devices
* debian/patches: Drop backported patches. We're further ahead now.
gvfs (1.40.1-3) experimental; urgency=medium
* Team upload
* d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
Add missing authentication, preventing a local attacker from connecting
to an abstract socket address learned from netstat(8) and issuing
arbitrary D-Bus method calls
(Closes: #930376, CVE-2019-12795)
* d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
Harden private D-Bus connection by rejecting the more complicated
DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL
gvfs (1.40.1-2) experimental; urgency=medium
* Team upload
* Update from upstream gnome-3-32 branch, commit 1.40.1-9-gec939a01,
to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
- Fix deadlocks in synchronous API
- Various fixes for afc backend
- Update translation: zh_CN
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
Date: Wed, 21 Aug 2019 12:33:35 +0100
Changed-By: Iain Lane <iain.lane at canonical.com>
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
https://launchpad.net/ubuntu/+source/gvfs/1.41.91-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Aug 2019 12:33:35 +0100
Source: gvfs
Architecture: source
Version: 1.41.91-1ubuntu1
Distribution: eoan
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
Changed-By: Iain Lane <iain.lane at canonical.com>
Closes: 927221 929755 930376
Changes:
gvfs (1.41.91-1ubuntu1) eoan; urgency=medium
.
* Revert upstream changes to port to fuse 3. This is in universe in Ubuntu
and we'll need to work out how to move over.
.
gvfs (1.41.91-1) experimental; urgency=medium
.
[ Simon McVittie ]
* Add bug number and CVE ID to previous changelog entry
.
[ Iain Lane ]
* debian/watch: Find unstable versions
* New upstream release
+ admin: Add query_info_on_read/write functionality (CVE-2019-12448)
+ admin: Allow changing file owner (CVE-2019-12447)
+ admin: Ensure correct ownership when moving to file:// uri
(CVE-2019-12449)
+ admin: Prevent core dumps when daemon is manually started
+ admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
+ afc: Remove assumptions about length of device UUID to support new
devices
+ afp: Fix afp backend crash when no username supplied
+ build: Add dependency on gsettings-desktop-schemas
+ build: Bump required meson version to 0.50.0
+ build: Define gvfs_rpath for libgvfsdaemon.so
+ build: Several meson improvements
+ daemon: Check that the connecting client is the same user
(CVE-2019-12795)
+ daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
+ daemon/udisks2: Handle lockdown option to disable writing
+ daemon: Unify some translatable strings
+ fuse: Adapt gvfsd-fuse to use fuse 3.x
+ fuse: Define RENAME_* macros when they are not defined
+ fuse: Remove max_write limit
+ gmountsource: Fix deadlocks in synchronous API
+ google: Check ownership in is_owner() without additional HTTP request
+ google: Disable deletion of non-empty directories
+ google: Do not enumerate volatile entries if title matches id
+ google: Fix crashes when deleting if the file isn't found
+ google: Fix issue with stale entries remaining after rename operation
+ google: Support deleting shared Google Drive files
+ proxy: Don't leak a GVfsDBusDaemon
+ udisks2: Change display name for crypto_unknown devices
* debian/patches: Drop backported patches. We're further ahead now.
.
gvfs (1.40.1-3) experimental; urgency=medium
.
* Team upload
* d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
Add missing authentication, preventing a local attacker from connecting
to an abstract socket address learned from netstat(8) and issuing
arbitrary D-Bus method calls
(Closes: #930376, CVE-2019-12795)
* d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
Harden private D-Bus connection by rejecting the more complicated
DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL
.
gvfs (1.40.1-2) experimental; urgency=medium
.
* Team upload
* Update from upstream gnome-3-32 branch, commit 1.40.1-9-gec939a01,
to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
- Fix deadlocks in synchronous API
- Various fixes for afc backend
- Update translation: zh_CN
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
Checksums-Sha1:
dc6e193ba4693b4543c5b60eb032307077352520 3579 gvfs_1.41.91-1ubuntu1.dsc
319eff283af69ff6db5c7943411866a436f2d7a8 1209944 gvfs_1.41.91.orig.tar.xz
a01c6ac7625a01538543e585beaa8e0d0125abd1 26332 gvfs_1.41.91-1ubuntu1.debian.tar.xz
57d84e4b041322c34503cd82e3bd49ca6b477b8e 23738 gvfs_1.41.91-1ubuntu1_source.buildinfo
Checksums-Sha256:
0ce72b6a83fbad1fa3167b6dd0072e3dc634c667d314cb7bbe3e77ef464a9572 3579 gvfs_1.41.91-1ubuntu1.dsc
a0e255640715f11f782e59a36a208962bbc84406cf3cfdea52e0651c0e26447f 1209944 gvfs_1.41.91.orig.tar.xz
a09dfd983d989ff473270936ad65b47d60e59e72d0841d009574944f9f1c1dfc 26332 gvfs_1.41.91-1ubuntu1.debian.tar.xz
7c23b2838ee0cdf0298e43e7d7c72eaa176cf2ca2365e3fa4af9479e04da4a0e 23738 gvfs_1.41.91-1ubuntu1_source.buildinfo
Files:
2380bd4fa11e8ff46b131d3f04fdbff5 3579 gnome optional gvfs_1.41.91-1ubuntu1.dsc
01f76ec5205c1d8cccd5138f79cd48b2 1209944 gnome optional gvfs_1.41.91.orig.tar.xz
34a0ba3b81bf24d44f1896a351e839de 26332 gnome optional gvfs_1.41.91-1ubuntu1.debian.tar.xz
fee7272152e1fa607c0a88dffd789591 23738 gnome optional gvfs_1.41.91-1ubuntu1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPQ77lee1I38W6CJY41LVxRxQQdQFAl1dLGEACgkQ41LVxRxQ
QdTN+hAAlki+2N3wYZlJU6UXScNmFkFhthEdO59pKVYCxXOQg/9GsuN51F1P3cEG
M5FSSLGK9HJe5KQHjPm7s53plNFSmlquo/itw0qSs3HJfFWM1Fd1kV+nnEVbKNnV
uvgRnCJndYGenKl4YtCs+W9N0uBc5WpaVg5gyAwvNPUOPZzzDEEJQdjTMaXGmZaC
Hz/705as3ZVAeciqYf2AwUFkUhoY9G7J2/87CZNkulSU/fqDfT/6jH9PDGHb3UFH
fV0mG/D1sgA2azbvBwXO0HLwfXlsG5lPobO1wVE8pY6xoBujF+XoOeEHSLIiPaqU
+872WHjPn2eRTANnwNzgLylG9nXdfwjh+HqhfITPiK+vJRPXuA6r7t0g4lUXt33l
f9FJTKfTBSH+Z2wtyUOoyghctCTMCNPj5vu97FHE2BNWFk/QUrp2Toz45D3jDvD2
ye6IP+8nLOvk4+c5wYFDnkGvbMIKj+HjDu1e9Sw385oDP9vtDxT1rMvYihP+HtyQ
vg/O0B+Zo1B+vAFFLCZnkaBpCX96IPv3p7EsmFIvO6qC7ADyMYcBf3QLaTNOPnXt
EueIxreWbNgdb3h00o2pyEI4EinM/PFU5f/DfqSTrLOpE4bnCGOMFv7IZYzERJuk
HZRm/4Zs7WvuagK92dQUO+ZaUlrFO+NjkSCzIAslhIo/BhfaUGQ=
=ff0Z
-----END PGP SIGNATURE-----
More information about the Eoan-changes
mailing list