vcswatch reports that
this package seems to have new commits in its VCS but has
not yet updated debian/changelog. You should consider updating
the Debian changelog and uploading this new version into the archive.
Here are the relevant commit logs:
commit af885ad379b05873a866c11e8e48f3b81c56f9f3
Merge: 907a63a1 a1734616
Author: Julian Andres Klode <jak@debian.org>
Date: Mon Jul 13 15:34:55 2026 +0000
Merge branch 'gnurm' into 'main'
test: use `gnurm` where available
See merge request apt-team/apt!593
commit a17346161364bee5d43e672c8a45156e99fd867c
Author: Julian Andres Klode <jak@debian.org>
Date: Mon Jul 13 16:56:03 2026 +0200
test: use `gnurm` where available
See https://github.com/uutils/coreutils/issues/7995 for further
information
commit 907a63a1dc137f9105a4ba2a026c9a6eae0e4d26
Merge: 1c266fc8 f27c2420
Author: Julian Andres Klode <jak@debian.org>
Date: Mon Jul 13 15:32:47 2026 +0000
Merge branch 'fix/install-deb-with-colon-in-path' into 'main'
fix: install-deb-with-colon-in-path
See merge request apt-team/apt!587
commit f27c242061b9db54a6ee856ba2a3c37e5c18bc16
Author: dongshengyuan <545258830@qq.com>
Date: Tue Jun 9 15:29:52 2026 +0800
fix: install-deb-with-colon-in-path
Fix by checking whether the name starts with a path prefix (/, ./,or ../): if so, it is a file path rather than a package name with an architecture suffix, so we skip the colon-splitting logic and look up the package under the native architecture directly.
Add a regression test test-apt-get-install-deb-colon-path that installs a .deb from a directory whose name contains a colon and verifies the installation succeeds.
Signed-off-by: dongshengyuan dongshengyuan@uniontech.com
commit 1c266fc8acfb6c34425193ab40ac97cc2dc33263
Merge: a806cc4d dfeecf7f
Author: Julian Andres Klode <jak@debian.org>
Date: Mon Jul 13 15:15:48 2026 +0000
Merge branch 'hashes' into 'main'
hashes: Fix lingering OpenSSL error
See merge request apt-team/apt!590
commit dfeecf7f520b019a401c77ebba4f7547d43d9ab9
Author: Julian Andres Klode <jak@debian.org>
Date: Fri Jul 3 19:01:54 2026 +0200
hashes: Fix lingering OpenSSL error
Wrap the digest initialization into an error mark that
we pop back to such that we do not end up with a lingering
error when doing other operations.
Closes: #1140227 (hopefully, otherwise it's an openssl bug)
commit a806cc4d872c40b3c5e2a3c7a84aa9aeb9f73f11
Merge: 4c20fd71 a1ea57bc
Author: Julian Andres Klode <jak@debian.org>
Date: Mon Jul 13 15:02:30 2026 +0000
Merge branch 'ai-hardening' into 'main'
Automated fixes for OOB writes
See merge request apt-team/apt!591
commit a1ea57bc793c3d4a89dc6c3c876a615148dca512
Author: Julian Andres Klode <jak@debian.org>
Date: Mon Jul 13 16:36:35 2026 +0200
test: Limit valgrind to 1024 open files
On the new salsa test runner, we see
--139743:0:libcfile Valgrind: FATAL: Private file creation failed.
The current file descriptor limit is 1073741804.
If you are running in Docker please consider
lowering this limit with the shell built-in limit command.
--139743:0:libcfile Exiting now.
Change the test suite to limit valgrind to 1024 open files.
commit 77f4e6519ae236a4d28f0717e803fbc0ef8cf9a7
Author: Julian Andres Klode <jak@debian.org>
Date: Tue Jul 7 23:02:51 2026 +0200
ftparchive: replace ContentsExtract's manual buffer with std::vector<char>
ContentsExtract managed its own heap buffer with realloc/free and
hand-tracked MaxSize/CurSize bookkeeping -- exactly the pattern that
caused the heap overflow in DoItem (single doubling of MaxSize was
insufficient for large tar member names). Replace char *Data/MaxSize/
CurSize with std::vector<char>, letting the standard library handle
growth and bounds. The manual constructor/destructor become redundant
(defaulted), and the external consumer (CacheDB::LoadContents) is
updated to use .data()/.size().
This eliminates the entire bug class; the prior per-method growth-loop
fix in DoItem is subsumed.
commit c7e7c23d60e898a00a160c97d7a7424a8351d4e1
Author: Julian Andres Klode <jak@debian.org>
Date: Tue Jul 7 22:39:31 2026 +0200
gpgv: don't advance past the null terminator in PushEntryWithKeyID
PushEntryWithKeyID() unconditionally did ++p to skip the whitespace
separating the event from the fingerprint. When the status line has no
such separator before the buffer's NUL -- e.g. a final line that gpgv
emitted without a trailing newline (a truncated/aborted write) -- the
first loop stops on the NUL and ++p then steps one byte past the end of
the getline() buffer. The following isxdigit() scan reads out of bounds
and *p = '\0' writes one byte past the heap allocation.
Only advance past the separator when not already at the terminator.
Newline-terminated lines are unaffected: getline() keeps the trailing
'\n', which the first loop stops on and which acts as the separator.
commit 8ab7abcf0aec378f46802aeace8a8184763b92d5
Author: Julian Andres Klode <jak@debian.org>
Date: Tue Jul 7 22:39:20 2026 +0200
deb: guard against unsigned underflow when trimming control newlines
The while loop post-decremented extractor.Length (unsigned long) for
every trailing newline. If the control content consisted entirely of
newlines (or was empty), Length underflowed to ULONG_MAX and the next
iteration wrote '\0' far past the heap buffer. Add a Length > 0 guard
to stop the loop before underflowing.
commit c1208ac6a19af46abd5593351d9bb7d13945793a
Author: Julian Andres Klode <jak@debian.org>
Date: Tue Jul 7 22:39:10 2026 +0200
ftparchive: fix heap overflow in ContentsExtract::DoItem
The reallocation only doubled MaxSize a single time, so a tar member
name longer than the new MaxSize (up to APT_LONGNAME_LIMIT, ~1 MiB)
left the buffer too small for the subsequent strcpy, overflowing the
heap by up to ~512 KiB.
Mirror the TakeContents() growth loop so MaxSize is large enough before
reallocating.
commit 4c20fd71d647ea8289daa4e117f8d48a03b366bc
Merge: 485bdc89 489e6ba7
Author: Julian Andres Klode <jak@debian.org>
Date: Fri Jul 3 15:51:43 2026 +0000
Merge branch 'fix/hashes-openssl-disabled-digest-crash' into 'main'
hashes: don't crash on an unavailable digest
See merge request apt-team/apt!589
commit 489e6ba733a923a2e4d79a20e9e886f4cac046f4
Author: Mark Atwood <mark@reviewcommit.com>
Date: Wed Jul 1 13:44:46 2026 -0700
test: exercise hashes with a disabled digest
Add an integration test for the previous commit. Under a null-provider
OpenSSL config that makes MD5 unavailable, apt-ftparchive's Description-md5
path (Hashes::GetHashString(Hashes::MD5SUM)) must not emit an uninitialised
/garbage digest. A positive control first asserts the field IS produced when
MD5 is available, so the trigger has teeth; the test skips gracefully on
OpenSSL < 3.0 or where the null provider cannot disable MD5.
commit d714c12f40a7e3c5e0593325219a9fe6c430d8d0
Author: Mark Atwood <mark@reviewcommit.com>
Date: Wed Jul 1 12:30:06 2026 -0700
hashes: don't crash on an unavailable digest
Since the switch to OpenSSL (90270f095), PrivateHashes::Enable() can fail
(e.g. MD5 is unavailable under an OpenSSL FIPS provider), leaving the
EVP_MD_CTX for that algorithm as a nullptr. The return value is not checked
at the constructor call sites, so callers that later request that specific
digest hit undefined behaviour:
* HexDigest() calls EVP_MD_CTX_copy(tmp, contexts[index]) with a nullptr
source. On OpenSSL builds where the copy dereferences the source this
SIGSEGVs; on OpenSSL 3.0.13 the copy returns an error, EVP_DigestFinal_ex
leaves the buffer uninitialised, and HexDigest returns a garbage digest
(exit 0, bytes vary run-to-run).
* GetHashString() calls HexDigest() with no IsEnabled() guard, so an
explicitly requested-but-disabled digest reaches the UB above.
Reachable from HashString::GetHashForFile()/VerifyFile()/FromFile() when the
requested type is "MD5Sum", and from apt-cdrom identification (cdromutl.cc),
which hardcodes MD5. The normal update/download path is unaffected:
GetHashStringList() already guards each emit with IsEnabled() and verifies
with the strongest available hash.
Guard HexDigest() against a null context and skip a disabled digest in
GetHashString(), returning an empty HashString. Callers already treat an
empty/mismatching hash as a verification failure, so a disabled digest now
fails cleanly; a present strong hash still verifies unchanged.
This is the OpenSSL-provider analogue of the libgcrypt-era fix in !295
(Debian #1014517), which no longer applies after gcrypt was removed.
commit 485bdc895761f1225fae33c8acb2571e884a3863
Merge: a1c76a66 a13b5091
Author: Julian Andres Klode <jak@debian.org>
Date: Fri Jul 3 13:30:41 2026 +0000
Merge branch 'fix/hashes-include-span' into 'main'
hashes: include <span> for std::span
See merge request apt-team/apt!588
commit a13b5091addd4f065b426297686c861bffc7527a
Author: Mark Atwood <mark@reviewcommit.com>
Date: Wed Jul 1 12:30:31 2026 -0700
hashes: include <span> for std::span
HexDigest() uses std::span (apt-pkg/contrib/hashes.cc:299,369) but relies on
<span> being pulled in transitively by another header. That works on some
libstdc++ versions but fails to build on others (observed with g++-13.3 on
Ubuntu 24.04: std::span undeclared). Include <span> directly.
commit a1c76a66b65339b6764b4f94539cdb0fdecda309
Author: David Kalnischkies <david@kalnischkies.de>
Date: Wed Jun 10 12:41:54 2026 +0000
Unfuzzy the ::host vs host:: doc-only example change
No need to annoy the translators with this change if we can
do the flip for them and hide it as the pot wasn't regenerated
so far (as the change was not part of a release yet).
Gbp-Dch: Ignore
Fixes: 080f2c092795382fe77591f8a41e19172ebead26
commit 02672754102134790e90ba491b1d89529742ec09
Author: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>
Date: Wed Jun 10 09:03:36 2026 +0000
Romanian program translation update
Closes: #1139336
commit 62853bbb16ca032fcaa0920f8af14549d1cc1ca8
Author: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Date: Wed Jun 10 09:02:44 2026 +0000
Dutch manpages translation update
Closes: #1135222
commit f4733601e483ecdc166778be84a509dcdb5806dc
Author: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Date: Wed Jun 10 09:02:12 2026 +0000
Dutch program translation update
Closes: #1135221
commit 8abecb6ff22c2ae4036d0c4db6bfe801a3b314fb
Author: Américo Monteiro <a_monteiro@gmx.com>
Date: Wed Jun 10 09:01:28 2026 +0000
Portuguese manpages translation update
Closes: #1133965
commit 49e91b96d9faeca50ab0b212174744938d446132
Author: David Kalnischkies <david@kalnischkies.de>
Date: Thu Feb 5 21:18:40 2026 +0000
aptwebserver: Refuse client immediately on TLS handshake
We implement a HTTP-only server here (that is wrapped by stunnel for
HTTPS support), so if a TLS handshake reaches us it is always wrong
and we can just close the connection immediately instead of accepting
it and letting the client run into a timeout as we will never receive
the message(s) we expect.
This happens e.g. with browsers like Firefox that opportunistically
try https first (even if you ask for http and specify a port).
commit 5b49a25a292dd3ed2355fadaca68753a72eb2422
Merge: cae6d486 080f2c09
Author: Julian Andres Klode <jak@debian.org>
Date: Thu May 21 09:06:52 2026 +0000
Merge branch 'https' into 'main'
apt-transport-https(1): document host-specific SSLCert, SSLKey, Verify-Host with host:: instead of ::host
See merge request apt-team/apt!579
commit 080f2c092795382fe77591f8a41e19172ebead26
Author: наб <nabijaczleweli@nabijaczleweli.xyz>
Date: Wed May 13 21:35:36 2026 +0200
apt-transport-https(1): document host-specific SSLCert, SSLKey, Verify-Host with host:: instead of ::host
Empirically, SSLCert and SSLKey need to be specified in the reverse order,
and only
Acquire::https::deb.beaverlabs.net {
SSLCert ".../cert.pem";
SSLKey ".../pkey.pem";
};
, not the documented order, works
Sponsored-by: https://beaverlabs.net
commit cae6d486b4294a0ba0a4694171380737c3818aac
Author: Julian Andres Klode <jak@debian.org>
Date: Wed May 20 19:42:18 2026 +0200
Document and test combined `build-dep --arch-only --indep-only`
This is a supported configuration to only use bare Build-Depends
and Build-Conflicts.