-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 17 May 2017 13:16:25 +0200 Source: dpkg Binary: dpkg libdpkg-dev dpkg-dev libdpkg-perl dselect Architecture: source Version: 1.18.24 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org> Changed-By: Guillem Jover <guillem@debian.org> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end libdpkg-dev - Debian package management static library libdpkg-perl - Dpkg perl modules Closes: 813454 824742 837051 850834 857449 858004 860238 860979 861217 Changes: dpkg (1.18.24) unstable; urgency=medium . [ Guillem Jover ] * Add missing symbols to the libdpkg map file. * Fix dpkg-shlibdeps to preserve the Dpkg::Shlibs::find_library() order when scanning symbols/shlibs files. This was causing generation of bogus dependencies when multiple packages provide the same SONAME on different directories. Regression introduced in dpkg 1.18.17. Closes: #860979 * Make dpkg-maintscript-helper print all unowned files from a directory when printing the error message, to ease debugging those problems after the fact. Closes: #813454, #860238 Based on a patch by Bastien ROUCARIÈS <roucaries.bastien@gmail.com>. * Add duplicate prevention code for debian/files to dpkg-genbuildinfo, so that successive runs with different versions and equivalent build types do not generate multiple .buildinfo entries to be uploaded, which is similar to what dpkg-gencontrol is doing for .deb files. * Fix conffile takeover handling during unpack in dpkg on --root or on diversions. Closes: #837051, #858004 * Fix digest inference for shared conffiles, causing bogus takeover unpack errors. Regression introduced in dpkg 1.16.9. Closes: #861217 * Improve tar entry metadata parsing in dpkg: - Do not parse device numbers for non block nor char tar entry objects. - Make the existing octal parser more robust, by checking for the expected format of leading zeros or spaces, followed by any ASCII octal characters (0-7), followed by zero or more space or NULs. - Add support for base-256 encoded numeric fields, to support large values, for UID/GID, device number, size and even signed timestamps. This is necessary not only to be able to store larger values, but to cover packages that can already be generated by dpkg-deb, given that it uses the system GNU tar when building. Closes: #850834 * Architecture support: - Add support for ARM64 ILP32. Closes: #824742 Thanks to Wookey <wookey@wookware.org>. * Perl modules: - Remove obsolete hardening-wrapper support from Dpkg::Vendor::Ubuntu. Thanks to Adam Conrad <adconrad@0c3.net>. - Bump $Dpkg::Deps::VERSION to match the one documented in CHANGES. - Ignore by default debian/files.new and debian/files for all source formats in Dpkg::Source::Package, because these are generated files with well known pathnames, part of the public interface, and with dpkg-genbuildinfo always injecting .buildinfo entries into debian/files, this meant this could disrupt previous workflows based on not cleaning the source tree. * Documentation: - Many spelling fixes. Thanks to Josh Soref <jsoref@gmail.com>. - Do not include mispellings in changelogs, as that makes detecting them more difficult. * Build system: - Use libexec variable for auxiliary internal programs, and set it to /usr/lib on Debian and derivatives. - Check that the detected tar is a GNU tar. - Check that the detected patch is a GNU patch, so that we get a directory traversal resistant patch implementation. This fixes CVE-2017-8283 by delegating those checks to patch(1), so that we trap blank-indented diff hunks trying to escape from the source tree. * Test suite: - Add a test case for blank-indented patches which were the cause for CVE-2017-8283. - Handle files with non-zero sizes in c-tarextract libdpkg test code. . [ Updated programs translations ] * Catalan (Guillem Jover). * Czech (Miroslav Kure). . [ Updated dselect translations ] * Catalan (Guillem Jover). . [ Updated scripts translations ] * Catalan (Guillem Jover). . [ Updated man pages translations ] * German (Helge Kreutzmann, David Rabel). Closes: #857449 * Spanish (Javier Fernández-Sanguino). Checksums-Sha1: 50bb679a90095d6466345db327426649f9f0ec1f 2032 dpkg_1.18.24.dsc 155fe5c91728bdf82756674d5aa85e4ff2e3eac6 4530444 dpkg_1.18.24.tar.xz f6485a48925083c714615accf84668e58e3b8aa0 7371 dpkg_1.18.24_amd64.buildinfo Checksums-Sha256: 9f1560a0d237ec570f98f8aacfd1cbdd372371cce40e4c7ee4a31315b0c40823 2032 dpkg_1.18.24.dsc d853081d3e06bfd46a227056e591f094e42e78fa8a5793b0093bad30b710d7b4 4530444 dpkg_1.18.24.tar.xz d7e7756b4ddf7db4f9df0612c019c795cd9715e0fe84783cf2763baa559bb362 7371 dpkg_1.18.24_amd64.buildinfo Files: fcc066dbc043e32b1238567052ff437d 2032 admin required dpkg_1.18.24.dsc 02e8af8faf1e689228da806c3e8c6882 4530444 admin required dpkg_1.18.24.tar.xz 6c5714c7ea0701f57165e8b888e818cd 7371 admin required dpkg_1.18.24_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAlkdC5QACgkQuXK/PqSu V6OmURAA5Htm0CZ3KiH1rfBX8l7E+Zzp10vHhryH+V29uKjnTebxFxqO295x2+ku Os4DH1ShnO77ALU04d5HXfd9zLisxzycXl4nEkio3zsgX87v2jlxpM/HQJswl3qh FH1rs8fxGbxLN8deu8poJobFLFSsEtD5QQOL/iDNRhq8aWUjtiGZ5jpy8t0v9vi+ I7eHFtP6GJL+5l8kxH6GPBmxSiP4RPeVADfVFnhnw+DPbtuJuC3oBk/pDRDVi7dZ 94qQLqhQZ/3sbBORI72TM81/FeDiTsLfl9zXGF36BUbR20O8gG/+nE5zjevIAYBo 9GshCY1ZKX+Uk3uOULTHQaH2UJ4mZVjoyByHmwPkAlj5ZNntL8iYG899Sa2F+OTT iRgPyD+BU9pI0iXUrd8bKiZgtKG7Byk/jj8d2Uftgkl9IQ0Q1t4OdTbLEuM1AESf IjF6MCf9aWo38GBf7h1ubAGgo5NFYeftjMjFBjQu5NUDzQeYW4zUc7Oljw9qmLYF qVSAfDOxwPcEjbC2gxKGqGyD3o7xA418kA+A0TiRFe/LRJ7bh3lGEDYqXDtq8Kkh dPkXYPA4MToRRGLxvk3gsgZTdu3UTnJDFEF3vWG4TXhHVhiVP8mMf52he00Xqmot KtuzHZ98yBd/LlXdeXP9AS01bXfjuSopsLZwrRg6kCQ0IpM/dtE= =Abdj -----END PGP SIGNATURE-----
