-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 05 Jun 2014 22:52:45 +0200 Source: dpkg Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect Architecture: source amd64 all Version: 1.15.11 Distribution: squeeze-security Urgency: high Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org> Changed-By: Guillem Jover <guillem@debian.org> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end libdpkg-dev - Debian package management static library libdpkg-perl - Dpkg perl modules Closes: 746498 749183 Changes: dpkg (1.15.11) squeeze-security; urgency=high . [ Guillem Jover ] * Test suite: - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127. - Add test case for patch disabling hunks; not security sensitive. * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory traversal attempts from hostile source packages when unpacking them. Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified directory traversal; meanwhile also independently found by me both #749183 and what was supposed to be #746498, which was later on published and ended up being just a subset of the other non-reported issue. Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183 Checksums-Sha1: 4426c4d44a6c6c7c8eb21ad6e149d4b8bc71ec0e 1844 dpkg_1.15.11.dsc 0d562e96d4df9592a8b96bfc76b19be91e88beee 5269052 dpkg_1.15.11.tar.bz2 641c051ee3adebdd4a76222b0a9b0d59fc2d950d 440340 libdpkg-dev_1.15.11_amd64.deb 095bd30806da1bad9e231c3910ac13430e2d7728 2401838 dpkg_1.15.11_amd64.deb 52ea8293218b9a00764a2517eb1d62da1dfccb85 908748 dselect_1.15.11_amd64.deb 1c3b37c6157816a79674fcab8323d929bbeee11d 815412 dpkg-dev_1.15.11_all.deb 71dfa4767c572e62d041c6ab3cf5f0c86571a030 697686 libdpkg-perl_1.15.11_all.deb Checksums-Sha256: 207f68ed5ef4888e26f1918c84a3400fa32fd09ad098600ff7b4b9e6d8398c63 1844 dpkg_1.15.11.dsc 7db2e5e23147e4159d95345dce420236a4af2c0ecff0a38dadee35160bb6f739 5269052 dpkg_1.15.11.tar.bz2 9b9f1eb8f2536e8be4d4a9157f6262dff4f277285de1c25dc34fa2bc2df4cf72 440340 libdpkg-dev_1.15.11_amd64.deb b8921f46999dee2a1c48e08daf45d704de9951dff2879afabd458b341c402ed2 2401838 dpkg_1.15.11_amd64.deb 0fd10aee9a03794e82530793b2ba71ff1b634b077d1d2475b259364a5debcb5b 908748 dselect_1.15.11_amd64.deb e0a6b0b3a506e5c48c7dfa5d439e645ad0416980c3c28f2c70ae4bdd3d8374e6 815412 dpkg-dev_1.15.11_all.deb afa97dfcddbf8a0856701622159a4711a8d471f9cacd9e0de1ba44b91ef0eba6 697686 libdpkg-perl_1.15.11_all.deb Files: ed3eaf21406b5cf68c7e497dad16b8d7 1844 admin required dpkg_1.15.11.dsc 92f54904ddc5b63f01308d181d8fcdf4 5269052 admin required dpkg_1.15.11.tar.bz2 49bd29615ce3eb1cfc9409d601770cad 440340 libdevel optional libdpkg-dev_1.15.11_amd64.deb 790ecea2ea1793a396df0ad254f00df0 2401838 admin required dpkg_1.15.11_amd64.deb 2548575c77fced8d6ef1dd5f78871a4d 908748 admin optional dselect_1.15.11_amd64.deb 68c22adf6501b43523510c606a0366f4 815412 utils optional dpkg-dev_1.15.11_all.deb 5569fd703e0c43f304b232108e4de210 697686 perl optional libdpkg-perl_1.15.11_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJTkN8sAAoJELlyvz6krlejZ0AP/RrUH5XmCbk3LVFpJsR7Gpx3 q6kUkzTisedFG0bgHsGeOxTljSVjgdCVKJ1gD8a+rVKMxNxyPTg6eWxw/Aium6wJ H8u5qyLC+ZrCiBvKF3Bb0TsaiKCzc3yihd6/Z7mbLaSetC9K2MUnybnm5ESJlnmy 0HzOH3YerDvkMY4RCJyl/Z7j0VR+dX+EnD2cJrg8ivAHxoldaUPHxUaZzGRz33b5 V5J+r+o9OrXr9R7LnKbaMTQqBTj5Y169k4ZBFL00aaUiNZ4Q8HbMYDosPRn+mbdf lrbzhHgThOlemK8hKV1yR6NexsUxuGiX/fbIRu2MYAfiaXjkmVoOiI6bBlJ3HwH+ GvTTbQnB7Gjhj0Guh50eoxankAZDVaxDY9a8q/jCMqPDRxCj0ZT46cma+27R81Ve SRR5F79FU7J6h1uKspG8hHtUpep7zcrlxy2cW/TNcuiwfEv/aezW3zGqyMpwHG+X Go6nDSI6p6L5y9EphSR3aNQDwjAvmBZhJF4Lj1AdSKy7tg/z+9Ahqu0U71cXmnfz mr+xB7hf0AToNK1EB6ir/vZke/X2WY9/Qgl/gnqXyMkCCgS8MJkIBtaRCdQn34Db BH3N3chFDejUn532mjrDnQFFXVTtDJ84xJMI+CVFg2YwCKwCHABK9ADz4d6eq0X/ YOQfC0pitPinsMz6Sx+5 =tDcj -----END PGP SIGNATURE-----
