-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Jan 2020 11:32:18 +0100 Source: python-apt Binary: python-apt python-apt-doc python-apt-dbg python-apt-dev python-apt-common python3-apt python3-apt-dbg Architecture: source Version: 1.4.1 Distribution: stretch-security Urgency: high Maintainer: APT Development Team <deity@lists.debian.org> Changed-By: Julian Andres Klode <jak@debian.org> Description: python-apt - Python interface to libapt-pkg python-apt-common - Python interface to libapt-pkg (locales) python-apt-dbg - Python interface to libapt-pkg (debug extension) python-apt-dev - Python interface to libapt-pkg (development files) python-apt-doc - Python interface to libapt-pkg (API documentation) python3-apt - Python 3 interface to libapt-pkg python3-apt-dbg - Python 3 interface to libapt-pkg (debug extension) Closes: 944696 Changes: python-apt (1.4.1) stretch-security; urgency=high . * SECURITY UPDATE: Check that repository is trusted before downloading files from it (LP: #1858973) - apt/cache.py: Add checks to fetch_archives() and commit() - apt/package.py: Add checks to fetch_binary() and fetch_source() - CVE-2019-15796 * SECURITY UPDATE: Do not use MD5 for verifying downloadeds (Closes: #944696) (#LP: #1858972) - apt/package.py: Use all hashes when fetching packages, and check that we have trusted hashes when downloading - CVE-2019-15795 * To work around the new checks, the parameter allow_unauthenticated=True can be passed to the functions. It defaults to the value of the APT::Get::AllowUnauthenticated option. * Cherry-pick "add pkgsrcrecord.Files.{hashes,size,path,type} getters" to enable apt_pkg.SourceRecords to return objects with such getters instead of just tuples (providing tuple-style backward compatibility). * Automatic changes and fixes for external regressions: - Adjustments to test suite and CI to fix CI regressions - testcommon: Avoid reading host apt.conf files - Automatic mirror list update Checksums-Sha1: fe0374c18168785d7d3a7fd7a2a8d45ef99cdb38 2427 python-apt_1.4.1.dsc c7eac12a3d9275b7f350e943c5dfd49e91fa40ee 333512 python-apt_1.4.1.tar.xz dc43a04fd852617e801c5b62218b1bff52e9ae40 9792 python-apt_1.4.1_source.buildinfo Checksums-Sha256: 8c8bfedba3e76ed59c4d96f3b9c6db22d6193a84468b899527e1add0687c587b 2427 python-apt_1.4.1.dsc 90a10a7daced35cae9096cb0bd87a6bf1c7e11a0cf201d67bcec4b3b15ab8662 333512 python-apt_1.4.1.tar.xz 251b4423e40d91dec2ef17e61afe227b2edcc75922d056594d7c840c742e29b0 9792 python-apt_1.4.1_source.buildinfo Files: d75b178165297f2717840ae67300088c 2427 python optional python-apt_1.4.1.dsc 03a95ce40ebf559851ec2897e6e37415 333512 python optional python-apt_1.4.1.tar.xz 0260a7b9a2bf2ef9a5f6d023d62a0619 9792 python optional python-apt_1.4.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAl4pdqkPHGpha0BkZWJp YW4ub3JnAAoJEG+kWN0dsD9x+ogP/icpU6/hCZFTnjCmPeAK9He/ZuThEz0XHNmo +VzJxI/Zc4As4TW/HE0faFQWx6JePoHWomr3xh5LpQQfW+h3RlILqTjDY3859Ood RJ7omS5FFKT6n5LTZllL9POETnd1O8WOkl+BzFTfVLW2ss3hkrZWh8b3xvTZaXxQ uRx6EDgYTxmoUo5rhi5C5mVhslj5ImEuMXqOTGe++J8dPG1ANEJq//cR6IdCi10G 8aIEJECaK7LlVZS4gCID2/IWpNvbEymRokKIfVrPsc4Cjgrcb+VA+4wyKB6GCALH mMBo0H88pb28P/9CF3IgvlAEJQDR0BWJvPZpksEDfsxObI/b/g5ZeffLIB4AFHuf zdb5mUPQ1GAhV9UlVyn4UkSkhBpDGr0lnZNAAG8ezFEIXDEERnZ6pK2hzGtmnQhy EC7MuLfbTUtmzeX6ri57BZ9p/eypi+VqVNwLIoij+U6Lh7KlnSjPsrivFbkknUdd 3Qwy1tiAtdPIyapEF+IRphYXzo3mTNYOMcnHszMxCUrWgjWLflhjRZqHFPb3qZGc zPXxXo6qZ/C2iEDlsFA42XbR3Jk7IwmY2AWedbyBUR4Lcu8nV4jLX+NSXmCtYLQE PNqYLLlv1WDvYb7ynY9pPhGDOKAyX/j+2o7JVmy95dJYURMR0Kpib/4qFOZbnm9N gPdJ8eJR =Jli7 -----END PGP SIGNATURE-----