Ubuntu
apt package

Backport auth.conf.d

Bug #1811120 reported by Julian Andres Klode
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Low
Unassigned
Trusty
Fix Released
Low
Unassigned
Xenial
Fix Released
Low
Unassigned
Bionic
Fix Released
Low
Unassigned
Cosmic
Fix Released
Low
Unassigned
Disco
Fix Released
Low
Unassigned

Bug Description

[Impact]
Backport auth.conf.d support to allow specifying per-repository authentication data in separate files, so packages can setup authenticated repositories.

[Regression potential]
We ignore errors from opening auth.conf.d files, so regressions can only occur when parsing a file fails, in which case apt would exit with an error.

[Test case]
The test suite provides autopkgtests for auth.conf.d which creates an auth.conf.d file and checks that it is successfully used; so we can check if those passed.

Except on trusty- do it manually there, by adding a file for a private ppa, and then running update.

- make sure to upgrade apt-transport-https on trusty & xenial...

See original description

CVE References

Julian Andres Klode (juliank)
Changed in apt (Ubuntu Disco):
status: New → Fix Released
Changed in apt (Ubuntu Cosmic):
status: New → Triaged
Changed in apt (Ubuntu Bionic):
status: New → Triaged
Changed in apt (Ubuntu Xenial):
status: New → Triaged
Changed in apt (Ubuntu Trusty):
status: New → Triaged
Changed in apt (Ubuntu Cosmic):
importance: Undecided → Wishlist
Changed in apt (Ubuntu Bionic):
importance: Undecided → Low
Changed in apt (Ubuntu Cosmic):
importance: Wishlist → Low
Changed in apt (Ubuntu Xenial):
importance: Undecided → Low
Changed in apt (Ubuntu Trusty):
importance: Undecided → Low
Changed in apt (Ubuntu Disco):
importance: Undecided → Low
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted apt into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.7.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Cosmic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Julian, or anyone else affected,

Accepted apt into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.6.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted apt into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.7.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted apt into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.6.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Julian Andres Klode (juliank) wrote :

The autopkgtests ran successfully and included a check for this, so this is verified.

tags: added: verification-don verification-done-bionic verification-done-cosmic
removed: verification-needed verification-needed-bionic verification-needed-cosmic
tags: added: verification-done
removed: verification-don
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.7.2

---------------
apt (1.7.2) cosmic; urgency=medium

  * Merge security update content injection in http method (CVE-2019-3462)

apt (1.7.1) cosmic; urgency=medium

  * Add support for /etc/apt/auth.conf.d/*.conf (netrcparts) (LP: #1811120)
  * NeverAutoRemove kernel meta packages (LP: #1787460)
  * Merge translations from 1.8 series
  * Source-only changes:
    - debian/gbp.conf: Point to 1.7.y branch
    - Do CI using ubuntu:cosmic, not debian:testing

 -- Julian Andres Klode <email address hidden> Fri, 25 Jan 2019 12:41:42 +0100

Changed in apt (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.6.8

---------------
apt (1.6.8) bionic; urgency=medium

  * merge security update: content injection in http method (CVE-2019-3462)

apt (1.6.7) bionic; urgency=medium

  [ Milo Casagrande ]
  * [l10n] Update Italian translation

  [ Julian Andres Klode ]
  * NeverAutoRemove kernel meta packages (LP: #1787460)
  * Add support for /etc/apt/auth.conf.d/*.conf (netrcparts) (LP: #1811120)
  * Merge translations from 1.8 series

 -- Julian Andres Klode <email address hidden> Fri, 25 Jan 2019 12:51:00 +0100

Changed in apt (Ubuntu Bionic):
status: Fix Committed → Fix Released
Julian Andres Klode (juliank)
description: updated
Julian Andres Klode (juliank)
Changed in apt (Ubuntu Xenial):
status: Triaged → In Progress
Changed in apt (Ubuntu Trusty):
status: Triaged → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.30 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-done
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Julian, or anyone else affected,

Accepted apt into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.21 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Revision history for this message
Julian Andres Klode (juliank) wrote :

There is a bug in that we do not install the auth.conf.d directory in the package, I'm tracking this in bug 1818996 and will soon push out new SRUs with the additional directory and a fix for a wrong hook name.

Revision history for this message
Julian Andres Klode (juliank) wrote :

The auth.conf.d support in trusty and xenial does not seem to be working for https repos at least. Gotta re-investigate, it was working when I committed it, and xenial has a test case for it, so odd.

tags: added: verification-failed-trusty verification-failed-xenial
removed: verification-needed-trusty verification-needed-xenial
Revision history for this message
Julian Andres Klode (juliank) wrote :

Oh, this is slightly embarrassing: THe reason it failed is that I forgot to update apt-transport-https in trusty and xenial.

After upgrading apt-transport-https, auth.conf.d support is working correctly in both 1.0.1ubuntu2.21 in trusty-proposed, and 1.2.30 in xenial-proposed.

tags: added: verification-done verification-done-trusty verification-done-xenial
removed: verification-failed-trusty verification-failed-xenial verification-needed
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.31 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted apt into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.22 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-trusty
removed: verification-done-trusty
Revision history for this message
Julian Andres Klode (juliank) wrote :

Reverified against 1.2.31 and 1.0.1ubuntu2.22, updating with an auth.conf.d snippet worked fine.

tags: added: verification-done verification-done-trusty verification-done-xenial
removed: verification-needed verification-needed-trusty verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.2.31

---------------
apt (1.2.31) xenial; urgency=medium

  * Fix name of APT::Update::Post-Invoke-Stats (was ...Update-Post...)
  * apt.dirs: Install auth.conf.d directory (LP: #1818996)
  * Merge translations from 1.6.10 (via 1.4.y branch)

apt (1.2.30) xenial; urgency=medium

  * merge security upload for content injection in http method (CVE-2019-3462);
    with fixed autopkgtest (LP: #1815750)
  * Introduce experimental 'never' pinning for sources (LP: #1814727)
  * Add support for /etc/apt/auth.conf.d/*.conf (netrcparts) (LP: #1811120)
  * Add a Packages-Require-Authorization Release file field (LP: #1814727)
  * NeverAutoRemove kernel meta packages (LP: #1787460)
  * doc: Set ubuntu-codename to xenial (LP: #1812696)
  * update: Provide APT::Update-Post-Invoke-Stats script hook point
    (LP: #1815760)
  * Introduce APT::Install::Pre-Invoke / Post-Invoke-Success (LP: #1815761)

 -- Julian Andres Klode <email address hidden> Tue, 12 Mar 2019 14:59:01 +0100

Changed in apt (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.0.1ubuntu2.22

---------------
apt (1.0.1ubuntu2.22) trusty; urgency=medium

  * apt.dirs: Install auth.conf.d directory (LP: #1818996)
  * Merge translations from 1.2.31

apt (1.0.1ubuntu2.21) trusty; urgency=medium

  [ Julian Andres Klode ]
  * travis CI: Use docker container to get useful results
  * fix and non-silent fail dpkg-overwrite error test (LP: #1817088)
  * Introduce experimental 'never' pinning for sources (LP: #1814727)
  * Add support for /etc/apt/auth.conf.d/*.conf (netrcparts) (LP: #1811120)
  * Add a Packages-Require-Authorization Release file field (LP: #1814727)
  * NeverAutoRemove kernel meta packages (LP: #1787460)
  * Introduce APT::Install::Pre-Invoke / Post-Invoke-Success (LP: #1815761)

  [ David Kalnischkies ]
  * ftparchive/writer.cc: use a std::vector instead of hardcoded array
    (LP: #1817048)

 -- Julian Andres Klode <email address hidden> Tue, 12 Mar 2019 15:15:54 +0100

Changed in apt (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.