Debian Package Tracker

From: Antoine Beaupré <anarcat@debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted git-annex 5.20141125+oops-1+deb8u2 (source amd64) into oldstable
Date: Wed, 05 Sep 2018 19:10:19 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Aug 2018 15:20:26 -0400
Source: git-annex
Binary: git-annex
Architecture: source amd64
Version: 5.20141125+oops-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description:
 git-annex  - manage files with git, without checking their contents into git
Changes:
 git-annex (5.20141125+oops-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Switch to non-native package to properly ship security patches. This
     required bumping the upstream version number but we just reused the
     same tarball.
   * Ship CVE-2017-12976.patch correctly (shipped directly in the tarball)
   * To properly fix CVE-2018-10859, backport annex.verify from 5.20151019:
     * Do verification of checksums of annex objects downloaded from remotes.
     * When annex objects are received into git repositories from other git
       repos, their checksums are verified then too.
     * To get the old, faster, behavior of not verifying checksums, set
       annex.verify=false, or remote.<name>.annex-verify=false.
     * setkey, rekey: These commands also now verify that the provided file
       matches the key, unless annex.verify=false.
     * reinject: Already verified content; this can now be disabled by
       setting annex.verify=false.
   * CVE-2018-10857:
     - Added annex.security.allowed-url-schemes setting, which defaults
       to only allowing http, https, and ftp URLs. Note especially that file:/
       is no longer enabled by default.
     - Removed annex.web-download-command, since its interface does not allow
       supporting annex.security.allowed-url-schemes across redirects.
       If you used this setting, you may want to instead use annex.web-options
       to pass options to curl.
     - git-annex will refuse to download content from the web, to prevent
       accidental exposure of data on private webservers on localhost and the
       LAN. This can be overridden with the
       annex.security.allowed-http-addresses setting.
       (The S3, glacier, and webdav special remotes are still allowed to
       download from the web.)
   * CVE-2018-10857 and CVE-2018-10859:
     - Refuse to download content, that cannot be verified with a hash,
       from encrypted special remotes (for CVE-2018-10859),
       and from all external special remotes (for CVE-2018-10857).
       In particular, URL and WORM keys stored on such remotes won't
       be downloaded. If this affects your files, you can run
       `git-annex migrate` on the affected files, to convert them
       to use a hash.
     - Added annex.security.allow-unverified-downloads, which can override
       the above.
Checksums-Sha1:
 fa256f9f2743e80e93a284b753e908f49f12cff2 3875 git-annex_5.20141125+oops-1+deb8u2.dsc
 afc4ca3fa7f2db6a815ef3379f0a743e62b44d21 5929810 git-annex_5.20141125+oops.orig.tar.gz
 7373a8744d5e48a0f09516905115d1383fbbd19d 80320 git-annex_5.20141125+oops-1+deb8u2.debian.tar.xz
 05e010703236825003d91010afac58447c563aff 8503784 git-annex_5.20141125+oops-1+deb8u2_amd64.deb
Checksums-Sha256:
 372bb6ffce1388257c09c3cb81df5c385d2f328e7b23b8706706c9129f28749f 3875 git-annex_5.20141125+oops-1+deb8u2.dsc
 1c41bce138a295d24980188547620f2e2f9f07712972ba5a7697512f4a7a49a5 5929810 git-annex_5.20141125+oops.orig.tar.gz
 c690b8eed3c5d5bdc95dca91bf888be0d74fa00d608bb5b01bd6949e003a03b5 80320 git-annex_5.20141125+oops-1+deb8u2.debian.tar.xz
 b33e305229771129f8d667a11500ab62e96f9a8bb1e1bd8c44bbfb5b83e593a3 8503784 git-annex_5.20141125+oops-1+deb8u2_amd64.deb
Files:
 7fb9162b87595bb33005838d27756bdd 3875 utils optional git-annex_5.20141125+oops-1+deb8u2.dsc
 9930bf512dd78122a66107e6cf8300f4 5929810 utils optional git-annex_5.20141125+oops.orig.tar.gz
 95c61e8f2bf83551e31db6a9aa3fd292 80320 utils optional git-annex_5.20141125+oops-1+deb8u2.debian.tar.xz
 b6c304d30d8c7445ed533f2d707d1815 8503784 utils optional git-annex_5.20141125+oops-1+deb8u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAluQJVcACgkQPqHd3bJh
2XvpcAf/Wm0FuC8a6gbSlIFptnjzZVpLxMx4i4lpMz3GmyClXnYNLcYah2XdvoOh
EjNAj/GVC9CJqKxE4uiDJYJz3RqeMUfSTJBNK7y/tCI98RY3jyoO08aeUHUJ2533
KBjle0drPgN/DcuNL4NNK2RY+onyc7C2idr7kUZKQar8wCgR7Sf16fqGRDEkrw/3
g8NNN7XvffZOdkWx8d383As5qpjbOQ/sNnnealMLr9COAuJSArfzaJCGukxUTSIZ
wu7VRwMre0RNcB2S4CVpnbbHNCr+DX/PouxPCuJSSvJRe0/kIFdmiaX5wsqlkcTQ
oMQUk7GDY+2JCRUJUOochx4FbRseVQ==
=mewP
-----END PGP SIGNATURE-----
News for package git-annex
