Univention Bugzilla – Bug 51305
apt: Multiple issues (4.4)
Last modified: 2020-05-20 12:30:17 CEST
New Debian apt 1.4.10A~4.4.4.202005181633 fixes: This update addresses the following issue: * apt (CVE-2020-3810)
--- mirror/ftp/4.4/unmaintained/4.4-0/source/apt_1.4.9A~4.3.3.201901230932.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/apt_1.4.10A~4.4.4.202005181633.dsc @@ -1,10 +1,18 @@ -1.4.9A~4.3.3.201901230932 [Wed, 23 Jan 2019 09:33:18 +0100] Univention builddaemon <buildd@univention.de>: +1.4.10A~4.4.4.202005181633 [Mon, 18 May 2020 16:38:22 +0200] Univention builddaemon <buildd@univention.de>: - * UCS auto build. The following patches have been applied to the original source package - 01-fix-ftbfs - 10_ignore_debian - 11-silence-warning - 13-use-ucs-keyring + * UCS auto build. No patches were applied to the original source package + +1.4.10 [Tue, 12 May 2020 21:46:37 +0200] Julian Andres Klode <jak@debian.org>: + + * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177) + - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name + - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated + member names in error path + - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated + member names in error path + - CVE-2020-3810 + * Fix-up size in 1.4.9 security fix test case + * Add .gitlab-ci.yml for CI testing on Salsa 1.4.9 [Fri, 18 Jan 2019 11:42:07 +0100] Julian Andres Klode <jak@debian.org>: <http://10.200.17.11/4.4-4/#8918345950002507141>
OK: yaml, i fixed the description Reopen: No patches were applied!
Fix is in: svn patches r18873: Add apt patches from UCS 4.3 for first apt rebuild on UCS 4.4 b44-scope errata4.4-4 apt Package: apt Version: 1.4.10A~4.4.0.202005191916 Branch: ucs_4.4-0 Scope: errata4.4-4 Applying patch 01-fix-ftbfs.patch using -p1 Output of the patch process: OK Applying patch 10_ignore_debian.patch using -p1 Output of the patch process: OK Applying patch 11-silence-warning.patch using -p1 Output of the patch process: OK Applying patch 13-use-ucs-keyring.patch using -p1 Output of the patch process: OK
OK: diff -urN 4.3-0-0-ucs/1.4.10-errata4.3-5 4.4-0-0-ucs/1.4.10-errata4.4-4 FIXED: errata-announce -V --only apt.yaml [4.4-4] 377efb3200 Bug #51305: apt 1.4.10A~4.4.0.202005191916 doc/errata/staging/apt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (In reply to Erik Damrose from comment #2) > OK: yaml, i fixed the description > Reopen: No patches were applied! caused by Bug #49600
--- mirror/ftp/4.4/unmaintained/4.4-0/source/apt_1.4.9A~4.3.3.201901230932.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/apt_1.4.10A~4.4.0.202005191916.dsc @@ -1,4 +1,4 @@ -1.4.9A~4.3.3.201901230932 [Wed, 23 Jan 2019 09:33:18 +0100] Univention builddaemon <buildd@univention.de>: +1.4.10A~4.4.0.202005191916 [Tue, 19 May 2020 19:16:15 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 01-fix-ftbfs @@ -6,6 +6,18 @@ 11-silence-warning 13-use-ucs-keyring +1.4.10 [Tue, 12 May 2020 21:46:37 +0200] Julian Andres Klode <jak@debian.org>: + + * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177) + - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name + - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated + member names in error path + - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated + member names in error path + - CVE-2020-3810 + * Fix-up size in 1.4.9 security fix test case + * Add .gitlab-ci.yml for CI testing on Salsa + 1.4.9 [Fri, 18 Jan 2019 11:42:07 +0100] Julian Andres Klode <jak@debian.org>: * SECURITY UPDATE: content injection in http method (CVE-2019-3462) <http://10.200.17.11/4.4-4/#7337973295434345662>
OK: jenkins OK: piuparts OK: patches
<http://errata.software-univention.de/ucs/4.4/603.html>