This bug was fixed in the package apt - 0.9.9.1~ubuntu1 --------------- apt (0.9.9.1~ubuntu1) saucy; urgency=low * merged from the debian/sid branch: - debian/gbp.conf: change build branch to ubuntu/master - use ubuntu keyring and ubuntu archive keyring in apt-key - run update-apt-xapian-index in apt.cron - run apt-key net-update in cron.daily - different example sources.list - APT::pkgPackageManager::MaxLoopCount set to 5000 - apport pkgfailure handling - ubuntu changelog download handling - patch for apt cross-building, see http://bugs.debian.org/666772 - debian/apt.auto-removal.sh + make kernels auto-removable apt (0.9.9.1) UNRELEASED; urgency=low * debian/rules: - call dh_clean in clean (closes: #714980) apt (0.9.9) unstable; urgency=low [ Michael Vogt ] * improve debug output for the Debug::pkgProblemResolver and Debug::pkgDepCache::AutoInstall * improve apt-cdrom output when no CD-ROM can be auto-detected * document --no-auto-detect in apt-cdrom [ David Kalnischkies ] * build the en manpages in subdirectory doc/en * remove -ldl from cdrom and -lutil from apt-get linkage * rewrite pkgOrderList::DepRemove to stop incorrect immediate setting (Closes: 645713) * prefer Essentials over Removals in ordering score * fix priority sorting by prefering higher in MarkInstall * try all providers in order if uninstallable in MarkInstall * do unpacks before configures in SmartConfigure (Closes: #707578) * fix support for multiple patterns in apt-cache search (Closes: #691453) * set Fail flag in FileFd on all errors consistently * don't explicitly init ExtractTar InFd with invalid fd * OpenDescriptor should autoclose fd always on error (Closes: #704608) * fail in CopyFile if the FileFds have error flag set * ensure state-dir exists before coyping cdrom files * fix file location for configure-index.gz in apt.conf(5) (Closes: #711921) * handle missing "Description" in apt-cache show (Closes: #712435) * try defaults if auto-detection failed in apt-cdrom (Closes: #712433) * support \n and \r\n line endings in ReadMessages * do not redownload unchanged InRelease files * trigger NODATA error for invalid InRelease files (Closes: #712486) apt (0.9.8.2) unstable; urgency=low [ Programs translations ] * French translation : typo fix. Closes: #677272 [ Guillem Jover ] * Update Vcs fields (Closes: #708562) [ Michael Vogt ] * buildlib/apti18n.h.in: - fix build failure when building without NLS (closes: #671587) [ Gregoire Menuel ] * Fix double free (closes: #711045) [ Raphael Geissert ] * Fix crash when the "mirror" method does not find any entry (closes: #699303) [ Johan Kiviniemi ] * cmdline/apt-key: - Create new keyrings with mode 0644 instead of 0600. - Accept a nonexistent --keyring file with the adv subcommand as well. apt (0.9.8.1) unstable; urgency=low [ David Kalnischkies ] * apt-pkg/indexcopy.cc: - non-inline RunGPGV methods to restore ABI compatibility with previous versions to fix partial upgrades (Closes: #707771) [ Michael Vogt ] * moved source to http://git.debian.org/apt/apt.git * updated gbp.conf to match what bzr-buildpackage is doing * remove .bzr-buildpackage/default.conf (superseeded by gbp.conf) apt (0.9.8) unstable; urgency=low [ Ludovico Cavedon ] * properly handle if-modfied-since with libcurl/https (closes: #705648) [ Andreas Beckman ] * apt-pkg/algorithms.cc: - Do not propagate negative scores from rdepends. Propagating the absolute value of a negative score may boost obsolete packages and keep them installed instead of installing their successors. (Closes: #699759) [ Michael Vogt ] * apt-pkg/sourcelist.cc: - fix segfault when a hostname contains a [, thanks to Tzafrir Cohen (closes: #704653) * debian/control: - replace manpages-it (closes: #704723) [ David Kalnischkies ] * various simple changes to fix cppcheck warnings * apt-pkg/pkgcachegen.cc: - do not store the MD5Sum for every description language variant as it will be the same for all so it can be shared to save cache space - handle language tags for descriptions are unique strings to be shared - factor version string creation out of NewDepends, so we can easily reuse version strings e.g. for implicit multi-arch dependencies - equal comparisions are used mostly in same-source relations, so use this to try to reuse some version strings - sort group and package names in the hashtable on insert - share version strings between same versions (of different architectures) to save some space and allow quick comparisions later on * apt-pkg/pkgcache.cc: - assume sorted hashtable entries for groups/packages * apt-pkg/cacheiterators.h: - provide DepIterator::IsSatisfied as a nicer shorthand for DepCheck * apt-pkg/deb/debversion.cc: - add a string-equal shortcut for equal version comparisions [ Marc Deslauriers ] * make apt-ftparchive generate missing deb-src hashes (LP: #1078697) [ Yaroslav Halchenko ] * Fix English spelling error in a message ('A error'). Unfuzzy translations. Closes: #705087 [ Programs translations ] * French translation completed (Christian Perrier) [ Manpages translations ] * French translation completed (Christian Perrier) [ Daniel Hartwig ] * apt-pkg/contrib/strutl.cc: - include port in shortened URIs (e.g. with apt-cache policy, progress display) thanks to James McCoy (Closes: #154868, #322074) - percent-encode username and password when writing URIs * methods/http.cc: - properly escape IP-literals (e.g. IPv6 address) when building Host headers and URIs (Closes: #620344) * methods/https.cc: - use https_proxy environment variable if present, falling back to http_proxy otherwise - use authentication credentials from proxy URI (Closes: #651640, LP: #1087512) - environment variables do not override an explicit no proxy directive ("DIRECT") in apt.conf - disregard all_proxy environment variable, like other methods apt (0.9.7.9~exp3) experimental; urgency=low [ Michael Vogt ] * apt-pkg/sourcelist.cc: - fix segfault when a hostname contains a [, thanks to Tzafrir Cohen (closes: #704653) * debian/control: - replace manpages-it (closes: #704723) [ David Kalnischkies ] * various simple changes to fix cppcheck warnings * apt-pkg/pkgcachegen.cc: - do not store the MD5Sum for every description language variant as it will be the same for all so it can be shared to save cache space - handle language tags for descriptions are unique strings to be shared - factor version string creation out of NewDepends, so we can easily reuse version strings e.g. for implicit multi-arch dependencies - equal comparisions are used mostly in same-source relations, so use this to try to reuse some version strings - sort group and package names in the hashtable on insert - share version strings between same versions (of different architectures) to save some space and allow quick comparisions later on * apt-pkg/pkgcache.cc: - assume sorted hashtable entries for groups/packages * apt-pkg/cacheiterators.h: - provide DepIterator::IsSatisfied as a nicer shorthand for DepCheck * apt-pkg/deb/debversion.cc: - add a string-equal shortcut for equal version comparisions [ Marc Deslauriers ] * make apt-ftparchive generate missing deb-src hashes (LP: #1078697) [ Yaroslav Halchenko ] * Fix English spelling error in a message ('A error'). Unfuzzy translations. Closes: #705087 [ Programs translations ] * French translation completed (Christian Perrier) [ Manpages translations ] * French translation completed (Christian Perrier) [ Daniel Hartwig ] * apt-pkg/contrib/strutl.cc: - include port in shortened URIs (e.g. with apt-cache policy, progress display) thanks to James McCoy (Closes: #154868, #322074) - percent-encode username and password when writing URIs * methods/http.cc: - properly escape IP-literals (e.g. IPv6 address) when building Host headers and URIs (Closes: #620344) * methods/https.cc: - use https_proxy environment variable if present, falling back to http_proxy otherwise - use authentication credentials from proxy URI (Closes: #651640, LP: #1087512) - environment variables do not override an explicit no proxy directive ("DIRECT") in apt.conf - disregard all_proxy environment variable, like other methods apt (0.9.7.9~exp2) experimental; urgency=low [ Programs translations ] * Update all PO files and apt-all.pot * French translation completed (Christian Perrier) [ Daniel Hartwig ] * cmdline/apt-get.cc: - do not have space between "-a" and option when cross building (closes: #703792) * test/integration/test-apt-get-download: - fix test now that #1098752 is fixed * po/{ca,cs,ru}.po: - fix merge artifact [ David Kalnischkies ] * apt-pkg/indexcopy.cc: - rename RunGPGV to ExecGPGV and move it to apt-pkg/contrib/gpgv.cc * apt-pkg/contrib/gpgv.cc: - ExecGPGV is a method which should never return, so mark it as such and fix the inconsistency of returning in error cases - don't close stdout/stderr if it is also the statusfd - if ExecGPGV deals with a clear-signed file it will split this file into data and signatures, pass it to gpgv for verification - add method to open (maybe) clearsigned files transparently * apt-pkg/acquire-item.cc: - keep the last good InRelease file around just as we do it with Release.gpg in case the new one we download isn't good for us * apt-pkg/deb/debmetaindex.cc: - reenable InRelease by default * ftparchive/writer.cc, apt-pkg/deb/debindexfile.cc, apt-pkg/deb/deblistparser.cc: - use OpenMaybeClearSignedFile to be free from detecting and skipping clearsigning metadata in dsc and Release files [ Michael Vogt ] * add regression test for CVE-2013-1051 * implement GPGSplit() based on the idea from Ansgar Burchardt (many thanks!) * methods/connect.cc: - use Errno() instead of strerror(), thanks to David Kalnischk * doc/apt.conf.5.xml: - document Acquire::ForceIPv{4,6} apt (0.9.7.9~exp1) experimental; urgency=low [ Niels Thykier ] * test/libapt/assert.h, test/libapt/run-tests: - exit with status 1 on test failure [ Daniel Hartwig ] * test/integration/framework: - continue after test failure but preserve exit status [ Programs translation updates ] * Turkish (Mert Dirik). Closes: #703526 [ Colin Watson ] * methods/connect.cc: - provide useful error message in case of EAI_SYSTEM (closes: #703603) [ Michael Vogt ] * add new config options "Acquire::ForceIPv4" and "Acquire::ForceIPv6" to allow focing one or the other (closes: #611891) * lp:~mvo/apt/fix-tagfile-hash: - fix false positives in pkgTagSection.Exists(), thanks to Niels Thykier for the testcase (closes: #703240) - this will require rebuilds of the clients as this used to be a inline function apt (0.9.7.8) unstable; urgency=criticial * SECURITY UPDATE: InRelease verification bypass - CVE-2013-1051 [ David Kalnischk ] * apt-pkg/deb/debmetaindex.cc, test/integration/test-bug-595691-empty-and-broken-archive-files, test/integration/test-releasefile-verification: - disable InRelease downloading until the verification issue is fixed, thanks to Ansgar Burchardt for finding the flaw apt (0.9.7.8~exp2) experimental; urgency=low * include two missing patches to really fix bug #696225, thanks to Guillem Jover * ensure sha512 is really used when available, thanks to Tyler Hicks (LP: #1098752) apt (0.9.7.8~exp1) experimental; urgency=low [ Manpages translation updates ] * Italian (Beatrice Torracca). Closes: #696601 [ Programs translation updates ] * Japanese (Kenshi Muto). Closes: #699783 [ Michael Vogt ] * fix pkgProblemResolver::Scores, thanks to Paul Wise. Closes: #697577 * fix missing translated apt.8 manpages, thanks to Helge Kreutzmann for the report. Closes: #696923 * apt-pkg/contrib/progress.cc: - Make "..." translatable to fix inconsistencies in the output of e.g. apt-get update. While this adds new translatable strings, not having translations for them will not break anything. Thanks to Guillem Jover. Closes: #696225 * debian/apt.cron.daily: - when reading from /dev/urandom, use less entropy and fix a rare bug when the random number chksum is less than 1000. Closes: #695285 * methods/https.cc: - reuse connection in https, thanks to Thomas Bushnell, BSG for the patch. LP: #1087543, Closes: #695359 - add missing curl_easy_cleanup() * methods/http.cc: - quote spaces in filenames to ensure as the http method is also (potentially) used for non deb,dsc content that may contain spaces, thanks to Daniel Hartwig and Thomas Bushnell (LP: #1086997) - quote plus in filenames to work around a bug in the S3 server (LP: #1003633) * apt-pkg/indexrecords.cc: - support '\r' in the Release file [ David Kalnischkies ] * apt-pkg/depcache.cc: - prefer to install packages which have an already installed M-A:same sibling while choosing providers (LP: #1130419) -- Michael Vogt