Comment 0 for bug 1638021

[Impact]
1.2.15 is a somewhat larger bugfix release because I screwed up a bit with backporting fixes: 1.2.14 was released in June, and quite a few bugs have been fixed since then in the 1.3 series, but I never managed to release a new 1.2.y release. See Bug #1595177 for the 1.2.14 details.

This changes the cache format to fix buffer overflows (the cache format is in sync with the 1.3 series and thus has the same version number). It also fixes several invalid states in the updating code (where we got mismatches before). Then there are several smaller bugfixes and more checks for file sanity I cannot really all recall, and some translation updates.

This release also changes the autoremoval algorithm to only protect the latest same-source provider of a given package. infinity wanted this in for handling virtual ZFS modules provided by the kernel causing the kernels not to be autoremoved or something. We have this code in Debian testing and unstable since 1.3~pre1 early July and its in yakkety, and are reasonably sure it's stable now.

apt (1.2.15) xenial; urgency=medium

  (Most bugfixes until to and including 1.3.1)

  [ Julian Andres Klode ]
  * methods/ftp: Cope with weird PASV responses.
    Thanks to Lukasz Stelmach for the initial patch (Closes: #420940)
  * Fix buffer overflow in debListParser::VersionHash() (Closes: #828812)
  * cache: Bump minor version to 6
  * indextargets: Check that cache could be built before using it
    (Closes: #829651)
  * gpgv: Unlink the correct temp file in error case
  * fileutl: empty file support: Avoid fstat() on -1 fd and check result
  * Ignore SIGINT and SIGQUIT for Pre-Install hooks
  * install-progress: Call the real ::fork() in our fork() method
  * Accept --autoremove as alias for --auto-remove
  * apt-inst: debfile: Pass comp. Name to ExtractTar, not Binary
  * changelog: Respect Dir setting for local changelog getting
  * Fix segfault and out-of-bounds read in Binary fields
  * Merge translations from 1.3~rc3
  * TagFile: Fix off-by-one errors in comment stripping
  * Base256ToNum: Fix uninitialized value
  * VersionHash: Do not skip too long dependency lines
  * Do not read stderr from proxy autodetection scripts

  [ Nicolas Le Cam ]
  * Use the ConditionACPower feature of systemd in the apt-daily service
    (Closes: #827930)

  [ David Kalnischkies ]
  * close server if parsing of header field failed
  * don't do atomic overrides with failed files (Closes: 828908)
  * if reading of autobit state failed, let write fail
  * write auto-bits before calling dpkg & again after if needed
  * factor out Pkg/DepIterator prettyprinters into own header
  * protect only the latest same-source providers from autoremove
  * reinstalling local deb file is no downgrade
  * do not treat same-version local debs as downgrade
  * avoid 416 response teardown binding to null pointer
  * don't change owner/perms/times through file:// symlinks
  * report all instead of first error up the acquire chain
  * keep trying with next if connection to a SRV host failed
  * call flush on the wrapped writebuffered FileFd
  * verify hash of input file in rred
  * use proper warning for automatic pipeline disable
  * rred: truncate result file before writing to it (Closes: #831762)
  * if the FileFd failed already following calls should fail, too
  * pass --force-remove-essential to dpkg only if needed
  * allow user@host (aka: no password) in URI parsing
  * drop incorrect const attribute from DirectoryExists (LP: 1473674)
  * http(s): allow empty values for header fields (Closes: 834048)
  * don't try pipelining if server closes connections (Closes: #832113)
  * don't loop on pinning pkgs from absolute debs by regex (Closes: 835818)
  * try not to call memcpy with length 0 in hash calculations
  * abort connection on '.' target replies in SRV

  [ Andrew Patterson ]
  * Add kernels with "+" in the package name to APT::NeverAutoRemove
    (Closes: #830159)

  [ Mert Dirik ]
  * Turkish program translation update (Closes: 832039)

  [ Zhou Mo ]
  * zh_CN.po: update simplified chinese translation

 -- Julian Andres Klode <email address hidden> Mon, 31 Oct 2016 14:59:55 +0100

[Test case]
Most of the code has automated regression tests included in the code. We can still run some upgrade tests, but I've been running this since Oct 5 on my machine from the PPA and it works fine.

[Regression Potential]
Very low. The release has been tested by a thorough integration test suite on Travis CI, and all of the fixes have been in apt 1.3.1 and older versions. I also ran the version for weeks on my "server" laptop with unattended-upgrades and everything worked fine.