[ubuntu/utopic-proposed] dpkg 1.17.10ubuntu1 (Accepted)
Adam Conrad
adconrad at ubuntu.com
Mon Jun 9 18:53:14 UTC 2014
dpkg (1.17.10ubuntu1) utopic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Allow -fstack-protector on arm64 now that GCC and glibc support it.
- Change native source version/format mismatch errors into warnings
until the dust settles on Debian bug 737634 about override options.
- Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level
tools can get untranslated dpkg terminal log messages while at the
same time having translated debconf prompts.
- Special-case arm{el,hf} ELF objects in Shlibs/Objdump.pm for multilib.
- Map unqualified package names of multiarch-same packages to the native
arch instead of throwing an error, so that we don't break on upgrade
when there are unqualified names stored in the dpkg trigger database.
- Add logic to the postinst to `dpkg --add-architecture i386' on new
installs on amd64, mimicking our previous behaviour with the conffile.
- Apply a workaround from mvo to consider ^rc packages as multiarch,
during the dpkg consistency checks. (see LP: 1015567 and 1057367).
dpkg (1.17.10) unstable; urgency=medium
[ Guillem Jover ]
* Use libtool to build the static libraries, which makes it possible to
embed libcompat inside libdpkg, as required by some external programs
linking against the latter. Closes: #746122
* Fix word wrapping logic in dselect. Regression introduced in dpkg 1.17.3.
* Fix possible out of bounds buffer read access in the error output on
bogus ar member sizes.
* Fix memory leaks in buffer_copy() on error conditions.
* Test suite:
- Improve C code coverage.
- Add template test cases for most perl modules.
- Add test cases for Dpkg::Deps OR relationships.
- Add minimal test case for Dpkg::Source::Quilt.
- Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
- Add test case for patch disabling hunks; not security sensitive.
* Fix non-security sensitive TOCTOU race in triggers database loading.
* Fix non-security sensitive TOCTOU race in update-alternative alternative
database loading.
* Fix non-security sensitive TOCTOU race in update-alternative rename code.
* Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
Closes: #731530
* Move dpkg-architecture -L argument to the Commands --help output section.
* Make dpkg-maintscript-helper print only once that we are moving a
conffile, and not on every interim state transition. Closes: #747370
* Do not use global match variables in perl code.
* Man pages:
- Attempt to clarify and improve wording of some strange or confused
constructs. Reported by Helge Kreutzmann.
- Expand Vcs-* field names into each supported field name in
deb-src-control(5) to make it easier to search for them.
- Change control.tar.gz reference to simply control.tar in deb(5).
- Document in dpkg-deb(1) -Z option that bzip2 and lzma are deprecated.
- Add notes in dpkg-gensymbols(1) about symbol backward-compatibility.
Based on a patch by Bernhard R. Link <brlink at debian.org>.
Closes: #746973
- Document that dpkg-buildpackage(1) -j argument is optional.
- Add current and deprecated media types to deb(5).
- Document in dpkg(1) that --audit now does more than just searching for
partially installed packages.
* Add support for automatic parallel job selection in dpkg-buildpackage,
matching currently active processors, when using -jauto. Closes: #748012
* Perl modules:
- Bump $VERSION for Dpkg::Patch, missed in 1.16.1.
- Bump $VERSION for Dpkg::Deps, missed in 1.17.0.
- Update and fix CHANGES POD sections for public modules.
- Add missing Dpkg::Deps::Multiple profile_is_concerned() and
reduce_profiles() methods, inherited by Dpkg::Deps::Union,
Dpkg::Deps::AND and Dpkg::Deps::OR.
* Do not mangle quilt series files with a missing newline on the last line.
Closes: #584233
* Quiesce tar warnings in cron job by redirecting stderr to /dev/null, as
it seems --warning=none does not work correctly. Closes: #748544
* Do not emit a trailing space from Dpkg::Control::Hash on a field's empty
first line. Bump dpkg-dev Breaks on devscripts to 2.14.4, as previous
versions expect a trailing space from dpkg-parsechangelog output.
Based on a patch by Johannes Schauer <j.schauer at email.de>. Closes: #749044
* Do not assume that sensible-editor is present on «dpkg-source --commit»,
as that command is very Debian specific. Fallback to try VISUAL, EDITOR,
or vi, if the previous commands are either unset or not found.
* Use badusage() instead of ohshit() on dpkg --ignore-depends argument
parsing errors.
* Add per package dpkg --audit support.
* Add support for DragonFlyBSD to ostable and triplettable.
Thanks to Hleb Valoshka <375gnu at gmail.com>.
* Add support for DragonFlyBSD to start-stop-daemon. Closes: #734452
Based on a patch by Hleb Valoshka <375gnu at gmail.com>.
* Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
traversal attempts from hostile source packages when unpacking them.
Reported by Javier Serrano Polo <javier at jasp.net> as an unspecified
directory traversal; meanwhile also independently found by me both
#749183 and what was supposed to be #746498, which was later on published
and ended up being just a subset of the other non-reported issue.
Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
[ Updated programs translations ]
* Catalan (Guillem Jover).
* Italian (Milo Casagrande). Closes: #750105
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated manpages translations ]
* German (Helge Kreutzmann).
[ Raphaël Hertzog ]
* Let dpkg-source unpack additional tarballs in a deterministic order.
Thanks to Samuel Bronson for the report. Closes: #747148
Date: Mon, 09 Jun 2014 12:18:09 -0600
Changed-By: Adam Conrad <adconrad at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/utopic/+source/dpkg/1.17.10ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Jun 2014 12:18:09 -0600
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source
Version: 1.17.10ubuntu1
Distribution: utopic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Adam Conrad <adconrad at ubuntu.com>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 584233 731530 734452 746122 746498 746973 747148 747370 748012 748544 749044 749183 750105
Changes:
dpkg (1.17.10ubuntu1) utopic; urgency=medium
.
* Merge from Debian unstable. Remaining changes:
- Allow -fstack-protector on arm64 now that GCC and glibc support it.
- Change native source version/format mismatch errors into warnings
until the dust settles on Debian bug 737634 about override options.
- Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level
tools can get untranslated dpkg terminal log messages while at the
same time having translated debconf prompts.
- Special-case arm{el,hf} ELF objects in Shlibs/Objdump.pm for multilib.
- Map unqualified package names of multiarch-same packages to the native
arch instead of throwing an error, so that we don't break on upgrade
when there are unqualified names stored in the dpkg trigger database.
- Add logic to the postinst to `dpkg --add-architecture i386' on new
installs on amd64, mimicking our previous behaviour with the conffile.
- Apply a workaround from mvo to consider ^rc packages as multiarch,
during the dpkg consistency checks. (see LP: 1015567 and 1057367).
.
dpkg (1.17.10) unstable; urgency=medium
.
[ Guillem Jover ]
* Use libtool to build the static libraries, which makes it possible to
embed libcompat inside libdpkg, as required by some external programs
linking against the latter. Closes: #746122
* Fix word wrapping logic in dselect. Regression introduced in dpkg 1.17.3.
* Fix possible out of bounds buffer read access in the error output on
bogus ar member sizes.
* Fix memory leaks in buffer_copy() on error conditions.
* Test suite:
- Improve C code coverage.
- Add template test cases for most perl modules.
- Add test cases for Dpkg::Deps OR relationships.
- Add minimal test case for Dpkg::Source::Quilt.
- Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
- Add test case for patch disabling hunks; not security sensitive.
* Fix non-security sensitive TOCTOU race in triggers database loading.
* Fix non-security sensitive TOCTOU race in update-alternative alternative
database loading.
* Fix non-security sensitive TOCTOU race in update-alternative rename code.
* Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
Closes: #731530
* Move dpkg-architecture -L argument to the Commands --help output section.
* Make dpkg-maintscript-helper print only once that we are moving a
conffile, and not on every interim state transition. Closes: #747370
* Do not use global match variables in perl code.
* Man pages:
- Attempt to clarify and improve wording of some strange or confused
constructs. Reported by Helge Kreutzmann.
- Expand Vcs-* field names into each supported field name in
deb-src-control(5) to make it easier to search for them.
- Change control.tar.gz reference to simply control.tar in deb(5).
- Document in dpkg-deb(1) -Z option that bzip2 and lzma are deprecated.
- Add notes in dpkg-gensymbols(1) about symbol backward-compatibility.
Based on a patch by Bernhard R. Link <brlink at debian.org>.
Closes: #746973
- Document that dpkg-buildpackage(1) -j argument is optional.
- Add current and deprecated media types to deb(5).
- Document in dpkg(1) that --audit now does more than just searching for
partially installed packages.
* Add support for automatic parallel job selection in dpkg-buildpackage,
matching currently active processors, when using -jauto. Closes: #748012
* Perl modules:
- Bump $VERSION for Dpkg::Patch, missed in 1.16.1.
- Bump $VERSION for Dpkg::Deps, missed in 1.17.0.
- Update and fix CHANGES POD sections for public modules.
- Add missing Dpkg::Deps::Multiple profile_is_concerned() and
reduce_profiles() methods, inherited by Dpkg::Deps::Union,
Dpkg::Deps::AND and Dpkg::Deps::OR.
* Do not mangle quilt series files with a missing newline on the last line.
Closes: #584233
* Quiesce tar warnings in cron job by redirecting stderr to /dev/null, as
it seems --warning=none does not work correctly. Closes: #748544
* Do not emit a trailing space from Dpkg::Control::Hash on a field's empty
first line. Bump dpkg-dev Breaks on devscripts to 2.14.4, as previous
versions expect a trailing space from dpkg-parsechangelog output.
Based on a patch by Johannes Schauer <j.schauer at email.de>. Closes: #749044
* Do not assume that sensible-editor is present on «dpkg-source --commit»,
as that command is very Debian specific. Fallback to try VISUAL, EDITOR,
or vi, if the previous commands are either unset or not found.
* Use badusage() instead of ohshit() on dpkg --ignore-depends argument
parsing errors.
* Add per package dpkg --audit support.
* Add support for DragonFlyBSD to ostable and triplettable.
Thanks to Hleb Valoshka <375gnu at gmail.com>.
* Add support for DragonFlyBSD to start-stop-daemon. Closes: #734452
Based on a patch by Hleb Valoshka <375gnu at gmail.com>.
* Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
traversal attempts from hostile source packages when unpacking them.
Reported by Javier Serrano Polo <javier at jasp.net> as an unspecified
directory traversal; meanwhile also independently found by me both
#749183 and what was supposed to be #746498, which was later on published
and ended up being just a subset of the other non-reported issue.
Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
.
[ Updated programs translations ]
* Catalan (Guillem Jover).
* Italian (Milo Casagrande). Closes: #750105
.
[ Updated scripts translations ]
* German (Helge Kreutzmann).
.
[ Updated manpages translations ]
* German (Helge Kreutzmann).
.
[ Raphaël Hertzog ]
* Let dpkg-source unpack additional tarballs in a deterministic order.
Thanks to Samuel Bronson for the report. Closes: #747148
Checksums-Sha1:
66f1c2765e33e23ea76e7da3ab43b0d05ff1a1a8 1505 dpkg_1.17.10ubuntu1.dsc
804712827d2b3282eb543f4ddbd1070226826b26 4202540 dpkg_1.17.10ubuntu1.tar.xz
Checksums-Sha256:
f8de77e3ac4cadc9a2fc075ee101bbf5e7d5f78da7382e15611d2308311c181c 1505 dpkg_1.17.10ubuntu1.dsc
006a73a257cb53082d54311cbc509eea3737fb8358cf2982f5431961c19f509f 4202540 dpkg_1.17.10ubuntu1.tar.xz
Files:
6269621fff867df290c7e7a4f727559f 1505 admin required dpkg_1.17.10ubuntu1.dsc
be76ab8a0bde4037f64bde28dfc88493 4202540 admin required dpkg_1.17.10ubuntu1.tar.xz
Original-Maintainer: Dpkg Developers <debian-dpkg at lists.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlOWAlIACgkQvjztR8bOoMn9vwCeOZAnD9ctTnq2N/sSMYDvcjq2
mWsAoL4u/wtsCXYlRmP6IjTmek406Jsc
=YNU2
-----END PGP SIGNATURE-----
More information about the Utopic-changes
mailing list