Debian Package Tracker
Register | Log in
Subscribe

apt

commandline package manager

Choose email to subscribe with

general
  • source: apt (main)
  • version: 3.3.1
  • maintainer: APT Development Team (archive) (DMD)
  • uploaders: Julian Andres Klode [DMD] – Michael Vogt [DMD] – David Kalnischkies [DMD]
  • arch: all any
  • std-ver: 4.1.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.2.4
  • oldstable: 2.6.1
  • stable: 3.0.3
  • testing: 3.3.1
  • unstable: 3.3.1
versioned links
  • 2.2.4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.6.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.0.3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.3.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • apt (1107 bugs: 0, 531, 576, 0)
  • apt-doc (2 bugs: 0, 1, 1, 0)
  • apt-transport-https (4 bugs: 0, 3, 1, 0)
  • apt-utils (43 bugs: 0, 25, 18, 0)
  • libapt-pkg-dev (7 bugs: 0, 0, 7, 0)
  • libapt-pkg-doc (1 bugs: 0, 1, 0, 0)
  • libapt-pkg7.0
action needed
Debci reports failed tests high
  • unstable: pass (log)
    The tests ran in 0:16:34
    Last run: 2026-05-18T02:56:14.000Z
    Previous status: unknown

  • testing: pass (log)
    The tests ran in 0:22:48
    Last run: 2026-06-15T17:42:23.000Z
    Previous status: unknown

  • stable: fail (log)
    The tests ran in 0:15:14
    Last run: 2026-07-17T20:31:55.000Z
    Previous status: unknown

Created: 2025-03-24 Last update: 2026-07-18 17:30
lintian reports 10 errors and 19 warnings high
Lintian reports 10 errors and 19 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-04-07 Last update: 2026-05-20 15:00
47 bugs tagged patch in the BTS normal
The BTS contains patches fixing 47 bugs (51 if counting merged bugs), consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-18 18:16
Depends on packages which need a new maintainer normal
The packages that apt depends on which need a new maintainer are:
  • db5.3 (#1055356)
    • Depends: libdb5.3t64
  • db-defaults (#1055344)
    • Build-Depends: libdb-dev
  • docbook-xsl (#802370)
    • Build-Depends: docbook-xsl
Created: 2023-09-01 Last update: 2026-07-18 17:30
22 open merge requests in Salsa normal
There are 22 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2025-08-19 Last update: 2026-07-13 16:49
26 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit af885ad379b05873a866c11e8e48f3b81c56f9f3
Merge: 907a63a1 a1734616
Author: Julian Andres Klode <jak@debian.org>
Date:   Mon Jul 13 15:34:55 2026 +0000

    Merge branch 'gnurm' into 'main'
    
    test: use `gnurm` where available
    
    See merge request apt-team/apt!593

commit a17346161364bee5d43e672c8a45156e99fd867c
Author: Julian Andres Klode <jak@debian.org>
Date:   Mon Jul 13 16:56:03 2026 +0200

    test: use `gnurm` where available
    
    See https://github.com/uutils/coreutils/issues/7995 for further
    information

commit 907a63a1dc137f9105a4ba2a026c9a6eae0e4d26
Merge: 1c266fc8 f27c2420
Author: Julian Andres Klode <jak@debian.org>
Date:   Mon Jul 13 15:32:47 2026 +0000

    Merge branch 'fix/install-deb-with-colon-in-path' into 'main'
    
    fix: install-deb-with-colon-in-path
    
    See merge request apt-team/apt!587

commit f27c242061b9db54a6ee856ba2a3c37e5c18bc16
Author: dongshengyuan <545258830@qq.com>
Date:   Tue Jun 9 15:29:52 2026 +0800

    fix: install-deb-with-colon-in-path
    Fix by checking whether the name starts with a path prefix (/, ./,or ../): if so, it is a file path rather than a package name with an architecture suffix, so we skip the colon-splitting logic and look up the package under the native architecture directly.
    Add a regression test test-apt-get-install-deb-colon-path that installs a .deb from a directory whose name contains a colon and verifies the installation succeeds.
    
    Signed-off-by: dongshengyuan dongshengyuan@uniontech.com

commit 1c266fc8acfb6c34425193ab40ac97cc2dc33263
Merge: a806cc4d dfeecf7f
Author: Julian Andres Klode <jak@debian.org>
Date:   Mon Jul 13 15:15:48 2026 +0000

    Merge branch 'hashes' into 'main'
    
    hashes: Fix lingering OpenSSL error
    
    See merge request apt-team/apt!590

commit dfeecf7f520b019a401c77ebba4f7547d43d9ab9
Author: Julian Andres Klode <jak@debian.org>
Date:   Fri Jul 3 19:01:54 2026 +0200

    hashes: Fix lingering OpenSSL error
    
    Wrap the digest initialization into an error mark that
    we pop back to such that we do not end up with a lingering
    error when doing other operations.
    
    Closes: #1140227 (hopefully, otherwise it's an openssl bug)

commit a806cc4d872c40b3c5e2a3c7a84aa9aeb9f73f11
Merge: 4c20fd71 a1ea57bc
Author: Julian Andres Klode <jak@debian.org>
Date:   Mon Jul 13 15:02:30 2026 +0000

    Merge branch 'ai-hardening' into 'main'
    
    Automated fixes for OOB writes
    
    See merge request apt-team/apt!591

commit a1ea57bc793c3d4a89dc6c3c876a615148dca512
Author: Julian Andres Klode <jak@debian.org>
Date:   Mon Jul 13 16:36:35 2026 +0200

    test: Limit valgrind to 1024 open files
    
    On the new salsa test runner, we see
    
    --139743:0:libcfile Valgrind: FATAL: Private file creation failed.
       The current file descriptor limit is 1073741804.
       If you are running in Docker please consider
       lowering this limit with the shell built-in limit command.
    --139743:0:libcfile Exiting now.
    
    Change the test suite to limit valgrind to 1024 open files.

commit 77f4e6519ae236a4d28f0717e803fbc0ef8cf9a7
Author: Julian Andres Klode <jak@debian.org>
Date:   Tue Jul 7 23:02:51 2026 +0200

    ftparchive: replace ContentsExtract's manual buffer with std::vector<char>
    
    ContentsExtract managed its own heap buffer with realloc/free and
    hand-tracked MaxSize/CurSize bookkeeping -- exactly the pattern that
    caused the heap overflow in DoItem (single doubling of MaxSize was
    insufficient for large tar member names). Replace char *Data/MaxSize/
    CurSize with std::vector<char>, letting the standard library handle
    growth and bounds. The manual constructor/destructor become redundant
    (defaulted), and the external consumer (CacheDB::LoadContents) is
    updated to use .data()/.size().
    
    This eliminates the entire bug class; the prior per-method growth-loop
    fix in DoItem is subsumed.

commit c7e7c23d60e898a00a160c97d7a7424a8351d4e1
Author: Julian Andres Klode <jak@debian.org>
Date:   Tue Jul 7 22:39:31 2026 +0200

    gpgv: don't advance past the null terminator in PushEntryWithKeyID
    
    PushEntryWithKeyID() unconditionally did ++p to skip the whitespace
    separating the event from the fingerprint. When the status line has no
    such separator before the buffer's NUL -- e.g. a final line that gpgv
    emitted without a trailing newline (a truncated/aborted write) -- the
    first loop stops on the NUL and ++p then steps one byte past the end of
    the getline() buffer. The following isxdigit() scan reads out of bounds
    and *p = '\0' writes one byte past the heap allocation.
    
    Only advance past the separator when not already at the terminator.
    Newline-terminated lines are unaffected: getline() keeps the trailing
    '\n', which the first loop stops on and which acts as the separator.

commit 8ab7abcf0aec378f46802aeace8a8184763b92d5
Author: Julian Andres Klode <jak@debian.org>
Date:   Tue Jul 7 22:39:20 2026 +0200

    deb: guard against unsigned underflow when trimming control newlines
    
    The while loop post-decremented extractor.Length (unsigned long) for
    every trailing newline. If the control content consisted entirely of
    newlines (or was empty), Length underflowed to ULONG_MAX and the next
    iteration wrote '\0' far past the heap buffer. Add a Length > 0 guard
    to stop the loop before underflowing.

commit c1208ac6a19af46abd5593351d9bb7d13945793a
Author: Julian Andres Klode <jak@debian.org>
Date:   Tue Jul 7 22:39:10 2026 +0200

    ftparchive: fix heap overflow in ContentsExtract::DoItem
    
    The reallocation only doubled MaxSize a single time, so a tar member
    name longer than the new MaxSize (up to APT_LONGNAME_LIMIT, ~1 MiB)
    left the buffer too small for the subsequent strcpy, overflowing the
    heap by up to ~512 KiB.
    
    Mirror the TakeContents() growth loop so MaxSize is large enough before
    reallocating.

commit 4c20fd71d647ea8289daa4e117f8d48a03b366bc
Merge: 485bdc89 489e6ba7
Author: Julian Andres Klode <jak@debian.org>
Date:   Fri Jul 3 15:51:43 2026 +0000

    Merge branch 'fix/hashes-openssl-disabled-digest-crash' into 'main'
    
    hashes: don't crash on an unavailable digest
    
    See merge request apt-team/apt!589

commit 489e6ba733a923a2e4d79a20e9e886f4cac046f4
Author: Mark Atwood <mark@reviewcommit.com>
Date:   Wed Jul 1 13:44:46 2026 -0700

    test: exercise hashes with a disabled digest
    
    Add an integration test for the previous commit. Under a null-provider
    OpenSSL config that makes MD5 unavailable, apt-ftparchive's Description-md5
    path (Hashes::GetHashString(Hashes::MD5SUM)) must not emit an uninitialised
    /garbage digest. A positive control first asserts the field IS produced when
    MD5 is available, so the trigger has teeth; the test skips gracefully on
    OpenSSL < 3.0 or where the null provider cannot disable MD5.

commit d714c12f40a7e3c5e0593325219a9fe6c430d8d0
Author: Mark Atwood <mark@reviewcommit.com>
Date:   Wed Jul 1 12:30:06 2026 -0700

    hashes: don't crash on an unavailable digest
    
    Since the switch to OpenSSL (90270f095), PrivateHashes::Enable() can fail
    (e.g. MD5 is unavailable under an OpenSSL FIPS provider), leaving the
    EVP_MD_CTX for that algorithm as a nullptr. The return value is not checked
    at the constructor call sites, so callers that later request that specific
    digest hit undefined behaviour:
    
      * HexDigest() calls EVP_MD_CTX_copy(tmp, contexts[index]) with a nullptr
        source. On OpenSSL builds where the copy dereferences the source this
        SIGSEGVs; on OpenSSL 3.0.13 the copy returns an error, EVP_DigestFinal_ex
        leaves the buffer uninitialised, and HexDigest returns a garbage digest
        (exit 0, bytes vary run-to-run).
      * GetHashString() calls HexDigest() with no IsEnabled() guard, so an
        explicitly requested-but-disabled digest reaches the UB above.
    
    Reachable from HashString::GetHashForFile()/VerifyFile()/FromFile() when the
    requested type is "MD5Sum", and from apt-cdrom identification (cdromutl.cc),
    which hardcodes MD5. The normal update/download path is unaffected:
    GetHashStringList() already guards each emit with IsEnabled() and verifies
    with the strongest available hash.
    
    Guard HexDigest() against a null context and skip a disabled digest in
    GetHashString(), returning an empty HashString. Callers already treat an
    empty/mismatching hash as a verification failure, so a disabled digest now
    fails cleanly; a present strong hash still verifies unchanged.
    
    This is the OpenSSL-provider analogue of the libgcrypt-era fix in !295
    (Debian #1014517), which no longer applies after gcrypt was removed.

commit 485bdc895761f1225fae33c8acb2571e884a3863
Merge: a1c76a66 a13b5091
Author: Julian Andres Klode <jak@debian.org>
Date:   Fri Jul 3 13:30:41 2026 +0000

    Merge branch 'fix/hashes-include-span' into 'main'
    
    hashes: include <span> for std::span
    
    See merge request apt-team/apt!588

commit a13b5091addd4f065b426297686c861bffc7527a
Author: Mark Atwood <mark@reviewcommit.com>
Date:   Wed Jul 1 12:30:31 2026 -0700

    hashes: include <span> for std::span
    
    HexDigest() uses std::span (apt-pkg/contrib/hashes.cc:299,369) but relies on
    <span> being pulled in transitively by another header. That works on some
    libstdc++ versions but fails to build on others (observed with g++-13.3 on
    Ubuntu 24.04: std::span undeclared). Include <span> directly.

commit a1c76a66b65339b6764b4f94539cdb0fdecda309
Author: David Kalnischkies <david@kalnischkies.de>
Date:   Wed Jun 10 12:41:54 2026 +0000

    Unfuzzy the ::host vs host:: doc-only example change
    
    No need to annoy the translators with this change if we can
    do the flip for them and hide it as the pot wasn't regenerated
    so far (as the change was not part of a release yet).
    
    Gbp-Dch: Ignore
    Fixes: 080f2c092795382fe77591f8a41e19172ebead26

commit 02672754102134790e90ba491b1d89529742ec09
Author: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>
Date:   Wed Jun 10 09:03:36 2026 +0000

    Romanian program translation update
    
    Closes: #1139336

commit 62853bbb16ca032fcaa0920f8af14549d1cc1ca8
Author: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Date:   Wed Jun 10 09:02:44 2026 +0000

    Dutch manpages translation update
    
    Closes: #1135222

commit f4733601e483ecdc166778be84a509dcdb5806dc
Author: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Date:   Wed Jun 10 09:02:12 2026 +0000

    Dutch program translation update
    
    Closes: #1135221

commit 8abecb6ff22c2ae4036d0c4db6bfe801a3b314fb
Author: Américo Monteiro <a_monteiro@gmx.com>
Date:   Wed Jun 10 09:01:28 2026 +0000

    Portuguese manpages translation update
    
    Closes: #1133965

commit 49e91b96d9faeca50ab0b212174744938d446132
Author: David Kalnischkies <david@kalnischkies.de>
Date:   Thu Feb 5 21:18:40 2026 +0000

    aptwebserver: Refuse client immediately on TLS handshake
    
    We implement a HTTP-only server here (that is wrapped by stunnel for
    HTTPS support), so if a TLS handshake reaches us it is always wrong
    and we can just close the connection immediately instead of accepting
    it and letting the client run into a timeout as we will never receive
    the message(s) we expect.
    
    This happens e.g. with browsers like Firefox that opportunistically
    try https first (even if you ask for http and specify a port).

commit 5b49a25a292dd3ed2355fadaca68753a72eb2422
Merge: cae6d486 080f2c09
Author: Julian Andres Klode <jak@debian.org>
Date:   Thu May 21 09:06:52 2026 +0000

    Merge branch 'https' into 'main'
    
    apt-transport-https(1): document host-specific SSLCert, SSLKey, Verify-Host with host:: instead of ::host
    
    See merge request apt-team/apt!579

commit 080f2c092795382fe77591f8a41e19172ebead26
Author: наб <nabijaczleweli@nabijaczleweli.xyz>
Date:   Wed May 13 21:35:36 2026 +0200

    apt-transport-https(1): document host-specific SSLCert, SSLKey, Verify-Host with host:: instead of ::host
    
    Empirically, SSLCert and SSLKey need to be specified in the reverse order,
    and only
            Acquire::https::deb.beaverlabs.net {
                    SSLCert ".../cert.pem";
                    SSLKey  ".../pkey.pem";
            };
    , not the documented order, works
    
    Sponsored-by: https://beaverlabs.net

commit cae6d486b4294a0ba0a4694171380737c3818aac
Author: Julian Andres Klode <jak@debian.org>
Date:   Wed May 20 19:42:18 2026 +0200

    Document and test combined `build-dep --arch-only --indep-only`
    
    This is a supported configuration to only use bare Build-Depends
    and Build-Conflicts.
Created: 2026-05-20 Last update: 2026-07-13 16:49
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.1.1).
Created: 2018-01-04 Last update: 2026-05-17 21:19
testing migrations
  • This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2026-05-29] apt 3.3.1 MIGRATED to testing (Debian testing watch)
  • [2026-05-17] Accepted apt 3.3.1 (source) into unstable (Julian Andres Klode)
  • [2026-05-01] Accepted apt 3.3.0 (source) into unstable (Julian Andres Klode)
  • [2026-04-10] apt 3.2.0 MIGRATED to testing (Debian testing watch)
  • [2026-04-07] Accepted apt 3.2.0 (source) into unstable (Julian Andres Klode)
  • [2026-02-20] apt 3.1.16 MIGRATED to testing (Debian testing watch)
  • [2026-02-17] Accepted apt 3.1.16 (source) into unstable (Julian Andres Klode)
  • [2026-02-03] apt 3.1.15 MIGRATED to testing (Debian testing watch)
  • [2026-01-31] Accepted apt 3.1.15 (source) into unstable (Julian Andres Klode)
  • [2026-01-29] apt 3.1.14 MIGRATED to testing (Debian testing watch)
  • [2026-01-23] Accepted apt 3.1.14 (source) into unstable (Julian Andres Klode)
  • [2026-01-08] apt 3.1.13 MIGRATED to testing (Debian testing watch)
  • [2026-01-05] Accepted apt 3.1.13 (source) into unstable (Julian Andres Klode)
  • [2025-11-13] apt 3.1.12 MIGRATED to testing (Debian testing watch)
  • [2025-11-10] Accepted apt 3.1.12 (source) into unstable (Julian Andres Klode)
  • [2025-10-28] apt 3.1.11 MIGRATED to testing (Debian testing watch)
  • [2025-10-26] Accepted apt 3.1.11 (source) into unstable (Julian Andres Klode)
  • [2025-10-25] Accepted apt 3.1.10 (source) into unstable (Julian Andres Klode)
  • [2025-10-24] apt 3.1.9 MIGRATED to testing (Debian testing watch)
  • [2025-10-21] Accepted apt 3.1.9 (source) into unstable (Julian Andres Klode)
  • [2025-10-07] apt 3.1.8 MIGRATED to testing (Debian testing watch)
  • [2025-10-04] Accepted apt 3.1.8 (source) into unstable (Julian Andres Klode)
  • [2025-10-02] Accepted apt 3.1.7 (source) into unstable (Julian Andres Klode)
  • [2025-10-02] apt 3.1.6 MIGRATED to testing (Debian testing watch)
  • [2025-09-26] Accepted apt 3.1.6 (source) into unstable (Julian Andres Klode)
  • [2025-09-02] apt 3.1.5 MIGRATED to testing (Debian testing watch)
  • [2025-08-26] Accepted apt 3.1.5 (source) into unstable (Julian Andres Klode)
  • [2025-08-17] apt 3.1.4 MIGRATED to testing (Debian testing watch)
  • [2025-08-11] Accepted apt 3.1.4 (source) into unstable (Julian Andres Klode)
  • [2025-06-30] apt 3.0.3 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 1079 1194
  • RC: 0
  • I&N: 518 571
  • M&W: 555 617
  • F&P: 6
  • patch: 47 51
  • NC: 5
links
  • lintian (10, 19)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • l10n (70, 68)
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.2.0

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing