Bug#946597: marked as done (python-apt: security regression in 1.9.1)
Your message dated Thu, 12 Dec 2019 18:06:19 +0000
with message-id <E1ifSqx-000493-Sr@fasolo.debian.org>
and subject line Bug#946597: fixed in python-apt 1.9.2
has caused the Debian Bug report #946597,
regarding python-apt: security regression in 1.9.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
946597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946597
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: python-apt
Version: 1.9.1
Severity: critical
Tags: security experimental
I made python-apt use all available hashes instead of defaulting to md5 in
1.9.1 (and 1.9.0 was just broken); but now, if there are no hashes, that'd
verify correctly as well, so I gotta fix that, but might not make it today,
so filing this to let people running apt-listbugs now.
-- System Information:
Debian Release: bullseye/sid
APT prefers focal
APT policy: (991, 'focal'), (500, 'focal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.3.0-23-generic (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages python-apt depends on:
ii dirmngr 2.2.17-3ubuntu1
ii gnupg 2.2.17-3ubuntu1
ii libapt-pkg5.90 1.9.5+0~201912061248~ubuntu20.04.1
ii libc6 2.30-0ubuntu2
ii libgcc1 1:9.2.1-21ubuntu1
ii libstdc++6 9.2.1-21ubuntu1
ii python-apt-common 1.9.1
ii python2 2.7.17-1
Versions of packages python-apt recommends:
ii iso-codes 4.4-1
ii lsb-release 11.1.0ubuntu1
ii xz-utils 5.2.4-1
Versions of packages python-apt suggests:
ii apt 1.9.5+0~201912061248~ubuntu20.04.1
pn python-apt-dbg <none>
pn python-apt-doc <none>
-- no debconf information
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---
--- Begin Message ---
- To: 946597-close@bugs.debian.org
- Subject: Bug#946597: fixed in python-apt 1.9.2
- From: Julian Andres Klode <jak@debian.org>
- Date: Thu, 12 Dec 2019 18:06:19 +0000
- Message-id: <E1ifSqx-000493-Sr@fasolo.debian.org>
Source: python-apt
Source-Version: 1.9.2
We believe that the bug you reported is fixed in the latest version of
python-apt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated python-apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Dec 2019 18:27:02 +0100
Source: python-apt
Architecture: source
Version: 1.9.2
Distribution: experimental
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 946597
Changes:
python-apt (1.9.2) experimental; urgency=medium
.
* SECURITY UPDATE: Check that we have trusted hashes when downloading
in fetch_binary() / fetch_source() (1.9.1 regression) (Closes: #946597)
Checksums-Sha1:
5e5578602799bf7f06249cbc25bab936d076035d 2437 python-apt_1.9.2.dsc
982fc281cb8957eb0ed178f3ea574b9900b1206a 330636 python-apt_1.9.2.tar.xz
6c2371d9eb033955b8b928852e441a4f4a7f38e0 10172 python-apt_1.9.2_source.buildinfo
Checksums-Sha256:
1e77935902fd7e133c9f12bfbcbf0841265097970184e2f0ccef7e75eddef714 2437 python-apt_1.9.2.dsc
5eb166e24b4f07659aada31c13d7b278db64fb63dc73ffb69332fa8eb08d5a80 330636 python-apt_1.9.2.tar.xz
1008c7de9e7c2124624fce654e5c85b58f3080e9c6660c2ec441c9f690a069cf 10172 python-apt_1.9.2_source.buildinfo
Files:
1e66377038396c0916f733273f76e62b 2437 python optional python-apt_1.9.2.dsc
84d2aa3baf0bd7abbac3b768085d488c 330636 python optional python-apt_1.9.2.tar.xz
e7447fcd85fec4d60f8af7b664b028f0 10172 python optional python-apt_1.9.2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAl3yel8PHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xkuoP/2ZEppdhb1qCEVs8bqiPqYKaKSz2Yhx6aJct
wDw2IeFznOjOgXOSbUx51rBeuwEBtkjDCxrR1ogkXsH3frl8sGTHnwLVD7772W+T
lzunHs2YTGn3Z4Fpc16ruDHc/Yrsb9L9E5siArFRPuTzSYOcu2Ox8HGMgMEaDqel
ocd47LAUiDVxU7Eygp9srlzb0lMh+We9Frk8v1m36YlFlK/gJwAsJZ4+COTBJ/34
7cfGKdRxtsmBE1g34HxVIJcLoGVvaZscIaPWuNrBCMLqFU4hfKJWKXmeDoLi9Ngf
ItdwYFgR+XePHcWPBtJnNAUPY4Vczhzxb/xb55yECL0IYcsG+kozYmu0l96cbrk3
7efVbBSSkSLDQzXjXcNGyNCe6g3fstzUJO7MgLFKPy2dovoGIVfl1j9XISGxdUbl
S1lX4ptTJWIcxVDUfMscpwrUh3orlYzWcEMB4pRXB4uf/UKzTQh2TKTy9nToFIk6
3Op4anZqJ/G1IxgWZykb3KW9q5lwMimGVd1hMbI2RyBkZ7CQiiaqdesId8tkH9Pq
2w4BPAFWCPhnShRaFy4zbBamzEj7XdDIYeYfoT9/fcCOKiBbfrLReaOQZy81lcM5
z9NqyhvewlO52mGRQ3CfY1AHrCrKo9hKgzjl1YJ4hRtd7o6OkYF5yFp31MU4SNU0
9KQsNbaK
=Pc8G
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: