Bug#762160: marked as done (apt: [regression] relative paths for Dir are broken)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 24 Sep 2014 22:17:25 +0000
with message-id <E1XWusH-0006qx-Ol@franck.debian.org>
and subject line Bug#762160: fixed in apt 0.9.7.9+deb7u5
has caused the Debian Bug report #762160,
regarding apt: [regression] relative paths for Dir are broken
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
762160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762160
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt: [regression] 406 Not acceptable errors
• From: Paul Wise <pabs@debian.org>
• Date: Fri, 19 Sep 2014 13:31:04 +0800
• Message-id: <[🔎] 1411104663.18352.13.camel@debian.org>

Package: apt
Version: 0.9.7.9+deb7u4
Severity: important

The recent apt security updates broke the Debian derivatives census
scripts, various sites now return "406 Not acceptable" errors.

The set of instructions below produces the errors on the second apt-get
update run with apt 0.9.7.9+deb7u4 but not with apt 0.9.7.9+deb7u2.

I also note that if I use the same sources.list with chdist from
devscripts I do *not* get the same errors.

Looking at the wireshark log, the difference is that chdist only gets
304 and 404 HTTP codes but plain apt gets 304, 404, 416 and 406 codes.

These sources.list files exhibit the issue:

https://dex.alioth.debian.org/census/Aptosid/sources.list
https://dex.alioth.debian.org/census/ArcheOS/sources.list
https://dex.alioth.debian.org/census/AstraLinux/sources.list
https://dex.alioth.debian.org/census/BCCD/sources.list
https://dex.alioth.debian.org/census/HandyLinux/sources.list
https://dex.alioth.debian.org/census/Ordissimo/sources.list
https://dex.alioth.debian.org/census/SteamOS/sources.list
https://dex.alioth.debian.org/census/Tucunare/sources.list
https://dex.alioth.debian.org/census/sources.list
https://dex.alioth.debian.org/census/sources.list

rm -rf sources.list apt.conf apt
cat <<EOF > sources.list
deb [arch=i386,amd64] http://aptosid.com/debian/ sid main fix.main
deb-src http://aptosid.com/debian/ sid main fix.main
EOF
cat <<EOF > apt.conf
Dir "apt";
Dir::State::status "./apt/var/lib/dpkg/status";
Dir::Etc::sourcelist "./sources.list";
EOF
mkdir --parents apt/var/lib/dpkg apt/etc/apt/apt.conf.d apt/etc/apt/trusted.gpg.d apt/etc/apt/preferences.d apt/etc/apt/sources.list.d apt/var/lib/apt/lists/partial apt/var/cache/apt/archives/partial
touch apt/var/lib/dpkg/status apt/etc/apt/trusted.gpg
export APT_CONFIG=`pwd`/apt.conf
apt-get update
apt-get update

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2012.4
ii  gnupg                   1.4.12-7+deb7u6
ii  libapt-pkg4.12          0.9.7.9+deb7u4
ii  libc6                   2.13-38+deb7u4
ii  libgcc1                 1:4.7.2-5
ii  libstdc++6              4.7.2-5

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc     <none>
ii  aptitude    0.6.8.2-1
ii  dpkg-dev    1.16.15
pn  python-apt  <none>
ii  xz-utils    5.1.1alpha+20120614-2

-- no debconf information

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

• To: 762160-close@bugs.debian.org
• Subject: Bug#762160: fixed in apt 0.9.7.9+deb7u5
• From: Michael Vogt <mvo@debian.org>
• Date: Wed, 24 Sep 2014 22:17:25 +0000
• Message-id: <E1XWusH-0006qx-Ol@franck.debian.org>

Source: apt
Source-Version: 0.9.7.9+deb7u5

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 23 Sep 2014 08:56:27 +0200
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.9.7.9+deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package managment related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package managment runtime library
Closes: 762160
Changes: 
 apt (0.9.7.9+deb7u5) wheezy-security; urgency=high
 .
   * SECURITY UPDATE:
     - methods/http.cc: fix potential buffer overflow, thanks to the
       Google Security Team (CVE-2014-6273)
   * fix regression when Dir::state::lists is set to a relative
     path (closes: 762160)
   * fix regression when cdrom: sources got rewriten by apt-cdrom
     add
Checksums-Sha1: 
 62736ce6b979f8979262b788863adddf7818f4c4 2364 apt_0.9.7.9+deb7u5.dsc
 07443ad2fdeae339e7b65e1a61c8a97126caaabd 3387096 apt_0.9.7.9+deb7u5.tar.gz
 cc1ea58cb95f1f54df1f3e3ef108e2fb688c2b2a 261746 apt-doc_0.9.7.9+deb7u5_all.deb
 633301137d829701e5e84b2bbf9348334788bec2 964220 libapt-pkg-doc_0.9.7.9+deb7u5_all.deb
 fde1fbe3072354a2ada678391a6eff9a666ce7f8 891260 libapt-pkg4.12_0.9.7.9+deb7u5_amd64.deb
 b9bc6e62aca0f0df094bce4715f35cd5a3c574e9 166942 libapt-inst1.5_0.9.7.9+deb7u5_amd64.deb
 4eca7305ca25d2607d510516e34715ed60933195 1261662 apt_0.9.7.9+deb7u5_amd64.deb
 b4cd2716407882863c7b8bd4beeb154b2b309b40 187296 libapt-pkg-dev_0.9.7.9+deb7u5_amd64.deb
 596e87c7e2c59dc0b4778b2fb4fdcc84465d2db2 377764 apt-utils_0.9.7.9+deb7u5_amd64.deb
 08ac2b7f5192ea0f04017a91e3e3f2cf4612ca1b 109112 apt-transport-https_0.9.7.9+deb7u5_amd64.deb
Checksums-Sha256: 
 ea217d60486d41a25401631c66e705b29733e0c92b13503c0103c6b74095d17b 2364 apt_0.9.7.9+deb7u5.dsc
 69b45a86607cb178e5892522d66bcf95307145181dc8b5101aafeb79d8298d71 3387096 apt_0.9.7.9+deb7u5.tar.gz
 1d45222f95ac6e2d89aed7c0ccc113ab6b72bb6e2dd295d048319cfe551e4bb9 261746 apt-doc_0.9.7.9+deb7u5_all.deb
 55564d52387c3a24fd0f0e322b98e50c4f728eb40fb011f54ab7876cc0e503d9 964220 libapt-pkg-doc_0.9.7.9+deb7u5_all.deb
 034fdb30dbeef9e31cff6acc24fce82ece27a8c2d372fecadbba3976733e7535 891260 libapt-pkg4.12_0.9.7.9+deb7u5_amd64.deb
 4ad87b5c9d9951e666dd877da241632643c18079bae5055e9fe75fc836b7ff5f 166942 libapt-inst1.5_0.9.7.9+deb7u5_amd64.deb
 a2ae022c424f8e38a261fb428a92885fab5a1facafbe019a4c362345aadb1b09 1261662 apt_0.9.7.9+deb7u5_amd64.deb
 babf380caff6f115530789b66b3a9794dd6e7a9733ac17fa71784fc6cdf75973 187296 libapt-pkg-dev_0.9.7.9+deb7u5_amd64.deb
 53b41771c2898e63fa54cae023a4e9e6393b08b3d2313ed45cf1959cf422acda 377764 apt-utils_0.9.7.9+deb7u5_amd64.deb
 3033b5402357539d957e4b6ce0813f1d5a0d399d5d49ef138dea7a58e703b815 109112 apt-transport-https_0.9.7.9+deb7u5_amd64.deb
Files: 
 7fc9e059dac553d7293d02f995785423 2364 admin important apt_0.9.7.9+deb7u5.dsc
 6d3cdf9a5c57e67a7564eb0d980aa1db 3387096 admin important apt_0.9.7.9+deb7u5.tar.gz
 39d0f20bc16987da79f16dda3c81041d 261746 doc optional apt-doc_0.9.7.9+deb7u5_all.deb
 c28c8bfbb4e84d0db202e1844f6103ef 964220 doc optional libapt-pkg-doc_0.9.7.9+deb7u5_all.deb
 363b8ffb80eeee750f3ac7a7fa9c358e 891260 libs important libapt-pkg4.12_0.9.7.9+deb7u5_amd64.deb
 4b455ccda772776f7fcaa4e1fb8f5a3b 166942 libs important libapt-inst1.5_0.9.7.9+deb7u5_amd64.deb
 f105122b977dfeb41b788997dee2b377 1261662 admin important apt_0.9.7.9+deb7u5_amd64.deb
 868c365e4bcd1a0eaedabee4f679d572 187296 libdevel optional libapt-pkg-dev_0.9.7.9+deb7u5_amd64.deb
 3235d760eeec6186d5c8bef5261c8358 377764 admin important apt-utils_0.9.7.9+deb7u5_amd64.deb
 408d0eb61aa48ac2e017482bba0bec6e 109112 admin optional apt-transport-https_0.9.7.9+deb7u5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJUISh1AAoJEJjKuzq9TKWezeUQAKb+T8jg6wxZc693ivth6LK+
g/jfdgq2pXn6fe+6+ImDdnrnV/xgtXR5ky8n8QnLsEjIAnEKDEgKeiI53hGQ7l8E
DBcc00Xwi80WrTw9tIdzqCgqU1drfn7Vr5CDpNOIU+WNHHBiBza/3ROgN+UzovfD
g1R5sKZGkXqEGW0Sc12egrf3FGC+gFb+FdMSpf61eg3s8+S95/tiKzeQPFFuFL2t
1o8+63hXI+9BMf0Wm3K+yqtMODSnNdAZqE9xZ430cmzvLxJjKyHQgSFVz3sZ4ttW
zMxDMYjsjWpkgLBamQ4TKmUhZjphm7jQIhadK+4VhhbPehp4gxz8maX/tWHgS8ip
ny1v6Xb6ZSzF3+T//NGJqJ00XB7fUq4rhxnvlNiHd7fCb239CFu/Ax2GY7aGxPkO
2dgirtH6ndgsmbNEIx93at1x6poscDOlq1lW3RjOLTcgjcGWEYyeaicDrM+2EihE
PWmXmwXRkQe8cz3NElqm9meffv/77TPVg0aVhjw+aQLH7C8AiG7ibB6XfnrIPrp6
8495wsOU6egA5TozjtTmdZwGnAi8ThsBra289LwX1n3k5QTDqJOE6mOVklNoRoFN
6mVv5r6tb8tQWr2xvHt6QOpIq8tSdT5JaWCBMYhC6UTm9ATMetUVpPmmVcH/67LL
qfH3+lXQHmkgRcxj53KR
=TTJg
-----END PGP SIGNATURE-----

--- End Message ---