autopkgtest failure due to security update

Bug #1815750 reported by Dan Streetman on 2019-02-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned

Bug Description

[impact]

the security update for:
SECURITY UPDATE: content injection in http method (CVE-2019-3462)
    (LP: #1812353)

causes an autopkgtest failure for:
Failed tests: test-cve-2019-3462-dequote-injection

[test case]

run autopkgtest on the security-patched version

[regression potential]

the test needs to be updated, so the regression potential is around the test continuing to fail.

CVE References

Dan Streetman (ddstreet) on 2019-02-13
Changed in apt (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Medium
Julian Andres Klode (juliank) wrote :

Yes, I know they're broken in xenial, and it's fixed in git, and will be part of the next SRU.

Changed in apt (Ubuntu Bionic):
status: New → Invalid
Changed in apt (Ubuntu Cosmic):
status: New → Invalid
Changed in apt (Ubuntu Trusty):
status: New → Invalid
Dan Streetman (ddstreet) on 2019-02-13
Changed in apt (Ubuntu Xenial):
assignee: Dan Streetman (ddstreet) → nobody

Hello Dan, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.30 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Julian Andres Klode (juliank) wrote :

Verified - 1.2.30 in xenial-proposed passes the tests

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Dan, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.31 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial
Julian Andres Klode (juliank) wrote :

1.2.31 is good as well.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.2.31

---------------
apt (1.2.31) xenial; urgency=medium

  * Fix name of APT::Update::Post-Invoke-Stats (was ...Update-Post...)
  * apt.dirs: Install auth.conf.d directory (LP: #1818996)
  * Merge translations from 1.6.10 (via 1.4.y branch)

apt (1.2.30) xenial; urgency=medium

  * merge security upload for content injection in http method (CVE-2019-3462);
    with fixed autopkgtest (LP: #1815750)
  * Introduce experimental 'never' pinning for sources (LP: #1814727)
  * Add support for /etc/apt/auth.conf.d/*.conf (netrcparts) (LP: #1811120)
  * Add a Packages-Require-Authorization Release file field (LP: #1814727)
  * NeverAutoRemove kernel meta packages (LP: #1787460)
  * doc: Set ubuntu-codename to xenial (LP: #1812696)
  * update: Provide APT::Update-Post-Invoke-Stats script hook point
    (LP: #1815760)
  * Introduce APT::Install::Pre-Invoke / Post-Invoke-Success (LP: #1815761)

 -- Julian Andres Klode <email address hidden> Tue, 12 Mar 2019 14:59:01 +0100

Changed in apt (Ubuntu Xenial):
status: Fix Committed → Fix Released
no longer affects: apt (Ubuntu Trusty)
no longer affects: apt (Ubuntu Bionic)
no longer affects: apt (Ubuntu Cosmic)
Changed in apt (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers