Univention Bugzilla – Bug 50736
python-apt: Multiple issues (4.4)
Last modified: 2020-01-29 14:07:06 CET
New Debian python-apt 1.4.1 fixes: This update addresses the following issues: * python-apt (CVE-2019-15795) * python-apt (CVE-2019-15796)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/python-apt_1.4.0~beta3.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/python-apt_1.4.1.dsc @@ -1,3 +1,26 @@ +1.4.1 [Thu, 23 Jan 2020 11:32:18 +0100] Julian Andres Klode <jak@debian.org>: + + * SECURITY UPDATE: Check that repository is trusted before downloading + files from it (LP: #1858973) + - apt/cache.py: Add checks to fetch_archives() and commit() + - apt/package.py: Add checks to fetch_binary() and fetch_source() + - CVE-2019-15796 + * SECURITY UPDATE: Do not use MD5 for verifying downloadeds + (Closes: #944696) (#LP: #1858972) + - apt/package.py: Use all hashes when fetching packages, and + check that we have trusted hashes when downloading + - CVE-2019-15795 + * To work around the new checks, the parameter allow_unauthenticated=True + can be passed to the functions. It defaults to the value of the + APT::Get::AllowUnauthenticated option. + * Cherry-pick "add pkgsrcrecord.Files.{hashes,size,path,type} getters" to + enable apt_pkg.SourceRecords to return objects with such getters instead + of just tuples (providing tuple-style backward compatibility). + * Automatic changes and fixes for external regressions: + - Adjustments to test suite and CI to fix CI regressions + - testcommon: Avoid reading host apt.conf files + - Automatic mirror list update + 1.4.0~beta3 [Sun, 23 Apr 2017 21:02:14 +0200] Julian Andres Klode <jak@debian.org>: * apt.auth: Fix check of fingerprint length <http://10.200.17.11/4.4-3/#8532639862373476742>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-3] 4aee668fb2 Bug #50736: python-apt 1.4.1 doc/errata/staging/python-apt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-3] 1f610c9d07 Bug #50736: python-apt 1.4.1 doc/errata/staging/python-apt.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) [4.4-3] 9822e84216 Bug #50736: python-apt 1.4.1 doc/errata/staging/python-apt.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<http://errata.software-univention.de/ucs/4.4/428.html>