-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Jan 2020 11:10:21 +0100 Source: python-apt Architecture: source Version: 1.8.4.1 Distribution: buster-security Urgency: high Maintainer: APT Development Team <deity@lists.debian.org> Changed-By: Julian Andres Klode <jak@debian.org> Closes: 944696 Changes: python-apt (1.8.4.1) buster-security; urgency=high . * SECURITY UPDATE: Check that repository is trusted before downloading files from it (LP: #1858973) - apt/cache.py: Add checks to fetch_archives() and commit() - apt/package.py: Add checks to fetch_binary() and fetch_source() - CVE-2019-15796 * SECURITY UPDATE: Do not use MD5 for verifying downloadeds (Closes: #944696) (#LP: #1858972) - apt/package.py: Use all hashes when fetching packages, and check that we have trusted hashes when downloading - CVE-2019-15795 * To work around the new checks, the parameter allow_unauthenticated=True can be passed to the functions. It defaults to the value of the APT::Get::AllowUnauthenticated option. * Automatic changes and fixes for external regressions: - Adjustments to test suite and CI to fix CI regressions - testcommon: Avoid reading host apt.conf files - Automatic mirror list update Checksums-Sha1: d6fbf2cdd32052a4a24f7059be1d25dd99a393c4 2459 python-apt_1.8.4.1.dsc 1e9fbd73773c2f6ce7cfe5d015ce62918218e49b 343332 python-apt_1.8.4.1.tar.xz 9f73fc9364277b8eb5755f392e07c224a32b1f6c 10090 python-apt_1.8.4.1_source.buildinfo Checksums-Sha256: 5659acc6cb5068dbcfe3aba00d29fa1b82d91f09c2c2ffbee78ebfc96e9803bb 2459 python-apt_1.8.4.1.dsc e110b3fff9422c5e27b9cbd23f44e3c7f843d4517fef8b3c2058102b115b20b9 343332 python-apt_1.8.4.1.tar.xz 9517b4ebaaf9b88862021e8e89b18d9685d2a38a0f20c8bf4ddcf901062fa584 10090 python-apt_1.8.4.1_source.buildinfo Files: f999d2bef849206bd3f37245a7ab08b4 2459 python optional python-apt_1.8.4.1.dsc d37f1e3142f62a7548b76c4164cd6a19 343332 python optional python-apt_1.8.4.1.tar.xz b033d832dda3872ffd0e23d3b0d7ed67 10090 python optional python-apt_1.8.4.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAl4pcboPHGpha0BkZWJp YW4ub3JnAAoJEG+kWN0dsD9xw34P/jbhbydKH789ETDETqgrakPWSl+x7OPNgHUs iH03neDuvkdmEkGKQc1rehAO8XOWnCQB5k1/BPFl6dQiqNa7w7XIA/Gf8Mv4lK2G tCQ9juRg14LYOCAjM1CMKIy7WDRM1j2BYcqIbxlGcgqwcZa9hwUAO4ZEcjqv1P7g wfBGC/GrG3fZmkbqHefWuM0lRBuLfcmqu9OHsSeemEosKfPvc0MI8OFFduGkbxPk IEMwL6IrlpOKH/MWAB9qlzvCDqWojcfI4+ZHOu1XTWIY/n/FSASMJCgbTCVAmg8I IyoPrsZ58IkNOT3y8luCe6YJE/0DYgoO2c8AR9TsfUxNyNmZW7WmWk1le79Ycj5H DTM8HTCyil5dHE2ZklTA8OwitYngpgWgoRGduirJCox7iTPeVDM4pcQKUPJ4oRld +HPN20it8r+hTtiBbgsAh7cKH6kcHQ6oxQalzQ+rrM9eUqZapXl8+qvIkT6t+HOf SgBEx0uFPUL6TyisSrKbenN8ouDC3Sjh4cLftx2+zCq9qMaN92uaQWRGbFOV05h3 winIKszeFb4pp/YUgPclhIt5xEaSj3NC12Yg2s9NHcXJkAaB9uJuhAUC7wIw5uZy wAqt9XCf+kgAE/ni+b5JDucgEIJQR5JQFhz827lGeRlOPA8sJoMiCN6balUK/1o1 fr3aW/y1 =IGbT -----END PGP SIGNATURE-----
