dpkg (1.20.0) experimental; urgency=medium
* libdpkg: Do not generate a backup file for the available database.
* perl: Switch Getopt::Long from bundling to bundling_values. This means
the few scripts using Getopt::Long will stop accepting options in the
form «-ab» for «-a -b», which is not future-proof, as it does not allow
these options to get new arguments without making them abiguous.
* dpkg-buildpackage: Remove transient backwards R³ compatibility code.
* buildtools.mk: Add support for nostrip in DEB_BUILD_OPTIONS when setting
the STRIP variable.
* dpkg-genbuildinfo: Do not include irrelevant packages in the Binary field.
* dpkg: Do not clear selections for unknown packages.
* dpkg-shlibdeps: Add support for new Build-Depends-Packages, to be able
to specify multiple packages.
Based on a patch by Frank Schaefer <kelledin@gmail.com>.
* perl: Remove support for versioned GnuPG 2 program and packages.
* libdpkg: Clarify lock contender error message. Print the PID of the lock
contender, and add a warning explaining that removing the lock file is
never the correct solution.
* dpkg-genchanges, dpkg-mergechangelogs: Remove support for ~vola
versioning, as volatile.debian.org was decommissioned some time ago.
* dpkg-genchanges, dpkg-mergechangelogs: Match ~deb also as a backport
marker in versions.
* libdpkg, dpkg: Use new versiondescribe_c() for non-localizable call sites,
such as when writing to a log, which should not be localized.
* dpkg-query: Try to use the package synopsis from the available file if
not installed.
* dpkg-gencontrol: Take into account hardlinks when computing the
Installed-Size substvar.
Patch co-authored with Sven Joachim <svenjoac@gmx.de>.
* dpkg: Fix and clarify behavior for packages marked to be on “hold”. These
need to be processed for configuration and triggers.
* dpkg: Use DPKG_ADMINDIR to set the admindir.
* dpkg-source: Remove backwards compatibility code for legacy build-profiles.
* perl: Give more context on field parsing errors.
* dpkg-buildpackage: Add option to sanitize environment.
* update-alternatives: Cope with a missing administrative directory.
* update-alternatives: Create the administrative directory on demand.
* dpkg-split: Cope with a missing parts/ database directory.
* dpkg-split: Create the parts/ database directory on demand.
* libdpkg: Consider msdbrw_needsuperuser equivalent to msdbrw_write, so
the same checks are performed on normal non --force-not-root operation.
* libdpkg: Add support for bootstrapping the installation of dpkg:
- Create the logfile with correct permissions, and remove the code
setting up the logfile from the dpkg postinst.
- Allow missing status and available databases, so that they get created
on write, and remove the code setting them up from the dpkg postinst.
- Do not change the ownership of the triggers database directory. Either
we are running as root:root which means the ownership should be correct
already, or we are not which means we cannot change it anyway.
- Create the dpkg database directory on demand.
- Create the updates/ database directory on demand.
- Create the info/ database directory on demand.
* dpkg-architecture: Fix handling of exec failing in --command.
Reported by Helmut Grohne <helmut@subdivi.de>.
* dpkg-buildpackage: Do not accept equal signs as part of the hook names.
Reported by Daniel Shahaf <danielsh@apache.org>.
* dselect: Mark a string for translation.
* dselect: Cleanup access methods:
- Remove harddisk methods, as they were non-functional due to fdisk
interface changes, and do not make sense anymore as we can expect users
to mount any such filesystem on their own, to then use a filesystem
method instead. Prompted by Helmut Grohne <helmut@subdivi.de>.
- Remove cdrom method superseded by the multi_cd method.
- Remove nfs methods, as there is nothing special about NFS, and mounting
these should just be left to the local admin, who can mount any other
remote filesystem too.
- Remove multi_mount method, as the multi_cd method can take care of
mounting the necessary images or devices.
- Replace changelog with correct copyright in file header.
* dpkg, dselect: Stop using first-person singular in output messages.
* libdpkg: Fix memory leak in parsedb context close.
* buildtools.mk: Add QMAKE variable.
* po: Fix translation of --compare-versions.
Thanks to Boyuan Yang <byang@debian.org>.
* Perl modules:
- Dpkg::Source::Package: Verify original tarball signatures at build time.
- Dpkg::BuildFlags: Add new unset() method.
Requested by Daniel Schepler <dschepler@gmail.com>.
- Dpkg::Source::Package::V2: Emit a special patch header on
single-debian-patch.
- Dpkg::Vendor::Debian: Only scan /usr/local/ directories that exist.
- Dpkg::Vendor::Debian: Do not set -Werror=implicit-function-declaration
for C++.
- Dpkg::Deps: Check for valid virtual package version relations. Do not
allow non-equal version relations in virtual provides.
- Dpkg: Remove internal lowercase variables $version, $progname,
$admindir, $dpkglibdir and $pkgdatadir.
- Dpkg::Changelog: Remove obsolete methods dpkg() and rfc822().
- Dpkg::Changelog::Entry::Debian: Remove obsolete methods check_header()
and check_trailer(). Hide variables $regex_header and $regex_trailer.
- Dpkg::Changelog::Parse: Remove warnings of obsolete options forceplugin
and libdir. Remove obsolete functions changelog_parse_debian() and
changelog_parse_plugin().
- Dpkg::Compression: Hide internal lowercase variables
$default_compression, $default_compression_level and
$compression_re_file_ext.
- Dpkg::Deps::KnownFacts: Remove obsolete check_package() method.
- Dpkg::Exit: Hide internal lowercase @handlers variable.
- Dpkg::Gettext: Remove obsolete _g() function.
- Dpkg::Source::Package: Hide internal lowercase variable
@tar_ignore_default_pattern. Remove iternal lowercase variable alias
$diff_ignore_default_regexp.
- Dpkg::Substvars: Remove obsolete no_warn() method.
- Dpkg::Index: Change default value for unique_tuple_key to 1.
- Dpkg::Version: Remove deprecation warning from semantic change in
bool overload.
- Dpkg::Checksums: Remove obsolete 'program' property warning.
- Dpkg::Conf: Remove obsolete methods and obsolete croak for method option.
- Dpkg::Vendor: Remove obsolete 'keyrings' hook.
- Dpkg::Exit: Unregister all signal handlers once we have executed them.
- Dpkg::Exit: Register exit handlers also for __DIE__.
- Dpkg::Source::Package::V3::Native: Do not say v1.0 for 3.0 formats.
- Dpkg::Dist::Files: On filename parse error say file instead of package.
- Dpkg::Substvars: Add new vendor:Name and vendor:Id substvars.
- Dpkg::Source::Package: Detect directory traversals under debian
directory. Reported by Felix Lechner <felix.lechner@lease-up.com>.
* Documentation:
- man: Fix uncommon wording constructs.
- man: Use a minus sign for a literal string.
- man: Clarify that the pager is called via «$SHELL -c».
- dpkg-shlibdeps: Document split_soname() function.
Prompted by Christopher Crim <christopher.crim@quoininc.com>.
- Dpkg::Changelog: Document methods provided by subclasses.
Reported by Felix Lechner <felix.lechner@lease-up.com>.
- man: Globally adjust left and disable hyphenation.
- man: Split dselect(1) --color from --colour option items.
- man: Describe the SONAME formats supported in deb-shlibs(5).
- man: Move template symbol documentation into new deb-src-symbols(5).
- Dpkg::Changelog::Parse: Remove $ sigil from option names in POD.
- Dpkg: Say class instead of object when appropriate.
- Dpkg::Changelog: Clarify that these classes inherit from some other
base class, which will contain the missing documentation.
Prompted by intrigeri <intrigeri@debian.org>.
- man: Clarify deb-changelog(5) format.
- man: Clarify debian/source/include-binaries format in dpkg-source(1).
Prompted by Felix Lechner <felix.lechner@lease-up.com>.
- man, doc: Clarify that the postinst "triggered" argument gets the
trigger-name(s) as a space-separated list in the second argument.
Prompted by Michael Biebl <biebl@debian.org>.
- dselect: Update the multicd README file.
- doc, man: Mark T and I package instances to avoid misreadings.
* Code internals:
- Dpkg::Source::Package: Refactor original tarball handling.
- perl: Use File::Copy instead of spawning mv/cp commands.
- Dpkg::OpenPGP: Refactor signature verification into a new function.
- Dpkg::OpenPGP: Make it possible to verify detached signatures.
- Dpkg::OpenPGP: Add support for importing an OpenPGP key into a keyring.
- Dpkg::BuildFlags: Remove unused hash keys.
- libdpkg: Use the variable instead of a type as sizeof() argument.
- libdpkg: Use the totalwritten variable for a consistency check.
- dselect: Reduce scope of variable, to avoid it being unused in a branch.
- dpkg-deb: Fold two adjacent if conditionals into a single one.
- dpkg: Initialize flagdeppossi in check_conflict().
- libdpkg: Add new C locale switch over support.
- libdpkg: Add new versiondescribe_c() to force a C locale.
- dselect: Make baselist::draw_column_*() col arguments const.
- libdpkg: Use p instead of name in dpkg_arch_name_is_illegal().
- dpkg: Remove redudant condition for sourcefile in updateavailable().
- dpkg, update-alternatives: Make variables static.
- libdpkg: Add missing symbols to the version map.
- libdpkg: Fix fiemap memory layout usage that confuses gcc 10 to emit a
warning.
- libdpkg: Only use varbuf_printf() in pkg_format_show() when necessary.
This should speed up «dpkg-query --show» formatting.
- libdpkg: Fix package format string to be a string literal.
This suppresses a gcc warning.
- dpkg: Fix short lived memory leak in --force-help handling.
- dpkg-split: Fix short lived file descriptor leak in --auto.
- start-stop-daemon: Explicitly ignore uninmportant function return values.
- start-stop-daemon: Fix memory leak on multiple --chuid arguments.
- start-stop-daemon: Close the notification socket in the child.
- libdpkg: Fix memory leaks in zlib and bz2 decompression functions.
- libdpkg: Add new dir_make_path() and dir_make_path_parent() functions.
- libdpkg: Add new atomic file flag to create the base path when missing.
- libdpkg: Fix modstatdb_rw enum comments.
- libdpkg, dpkg-query: Optimize db-fsys:Files virtual variable loading.
We load either the entire db-fsys for all packages, possibly optimized
per platform (such as by using fiemap), or the specific ones for the
requested packages. This also fixes a problematic cast removing the
constness of a variable.
- Dpkg::Dist::Files: Document the two filename pattern formats.
- update-alternatives: Remove redundant condition in argument parser.
- update-alternatives: Move error context setup before calling setjmp(),
so that cppcheck stops being confused.
- test: Reformat 200_Dpkg_Shlibs.cpp for coding style conformance.
- dpkg: Make it possible for the compiler to check printf() format
string arguments on dependency printer.
- dselect: Reorder branches in packagelist::deselect_one_of so that they
are not duplicated.
- dselect: Use nullptr instead of NULL.
- dselect: Use static_cast<> instead of old-style type qualifier cast.
- dselect: Do not use unnecessary old-style casts.
- dselect: Fix variable types to avoid needing old-style casts.
- libcompat: Disarm libselinux setexecfilecon() declaration for
libcompat-test.
- libdpkg: Define new VARBUF_OBJECT macro.
- libdpkg: Add new ATOMIC_FILE_NORMAL enum value to avoid a cast in C++.
- libdpkg: Use a new DPKG_NULL macro that works in C and C++.
- libdpkg: Use a new DPKG_STATIC_CAST macro that works in C and C++.
- libdpkg: Move printing of errno into dpkg_error_set().
- libdpkg: Use a varbuf to store the problem messages per parsedb context.
- libdpkg: Fix Doxygen comments.
* Build system:
- Bump minimal Perl version to 5.24.1.
- Add a serial versioning to the m4 files.
- Install m4 files into system aclocal directory.
- Bump minimal gettext version to 0.19.8, to get the m4 files that can
cross-build for musl-based systems.
- Enable more compiler warnings.
- Update Doxygen configuration from version 1.8.16.
* Packaging:
- Remove obsolete Breaks satisfied since oldstable.
- Replace custom rule for 'configure' with call to dh_autoreconf.
Thanks to Dan Streetman <ddstreet@canonical.com>.
- dselect: Remove methods state files on purge.
Spotted by Sven Joachim <svenjoac@gmx.de>.
- Switch to debhelper compatibility level 12.
- Switch from debian/compat to debhelper-commpat in Build-Depends.
- Bump Standards-Version to 4.5.0 (no changes required).
* Test suite:
- Remove perlcritic Documentation::RequirePodLinksIncludeText suppression.
- Clarify cppcheck va_list_usedBeforeStarted suppression.
- Skip build directories from codespell check.
- Update stopwords for codespell 1.16.0.
- Suppress new bogus cppcheck 1.90 false positives.
- libdpkg: Remove redundant assignment in t-ehandle unit test.
- Skip backup files from codespell check.
- Ignore python-3.8 runtime warnings in codespell.
[ Updated programs translations ]
* German (Sven Joachim).
* Portuguese (Miguel Figueiredo).
* Simplified Chinese (Mo Zhou).
[ Updated dselect translations ]
* German (Sven Joachim).
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated man pages translations ]
* German (Helge Kreutzmann)
dpkg (1.18.25)
* Parse start-stop-daemon usernames and groupnames starting with digits in
-u and -c correctly.
* Always use the binary version for the .buildinfo filename in
dpkg-genbuildinfo.
* Fix integer overflow in deb(5) format version parser.
* Fix directory traversal with dpkg-deb --raw-extract, by guaranteeing
that the DEBIAN pathname does not exist.
* Do not try to recompute hashes for the .dsc file when signing binary-only
builds in dpkg-buildpackage.
* Architecture support:
- Add support for riscv64 CPU.
* Perl modules:
- Do not normalize args past a passthrough stop word in Dpkg::Getopt.
Some commands pass some arguments through to another command, and
those must not be normalized as that might break their invocation.
* Documentation:
- Update buildinfo information in dpkg-buildpackage man page to match
the current implementation.
- Use correct name for archname validator value in dpkg(1) man page.
- Update git URLs for move away from alioth.debian.org.
* Packaging:
- Add versioned Build-Depends on tar, due to the --clamp-mtime option
being used in Dpkg::Source::Archive which is used by dpkg-source,
used by the test suite.
dpkg 1.18.24:
* Add missing symbols to the libdpkg map file.
* Fix dpkg-shlibdeps to preserve the Dpkg::Shlibs::find_library() order
when scanning symbols/shlibs files. This was causing generation of bogus
dependencies when multiple packages provide the same SONAME on different
directories. Regression introduced in dpkg 1.18.17.
* Make dpkg-maintscript-helper print all unowned files from a directory
when printing the error message, to ease debugging those problems after
the fact.
Based on a patch by Bastien ROUCARI?<88>S <roucaries.bastien@gmail.com>.
* Add duplicate prevention code for debian/files to dpkg-genbuildinfo, so
that successive runs with different versions and equivalent build types
do not generate multiple .buildinfo entries to be uploaded, which is
similar to what dpkg-gencontrol is doing for .deb files.
* Fix conffile takeover handling during unpack in dpkg on --root or
on diversions.
* Fix digest inference for shared conffiles, causing bogus takeover
unpack errors. Regression introduced in dpkg 1.16.9.
* Improve tar entry metadata parsing in dpkg:
- Do not parse device numbers for non block nor char tar entry objects.
- Make the existing octal parser more robust, by checking for the
expected format of leading zeros or spaces, followed by any ASCII
octal characters (0-7), followed by zero or more space or NULs.
- Add support for base-256 encoded numeric fields, to support large
values, for UID/GID, device number, size and even signed timestamps.
This is necessary not only to be able to store larger values, but to
cover packages that can already be generated by dpkg-deb, given that
it uses the system GNU tar when building.
* Architecture support:
- Add support for ARM64 ILP32.
* Perl modules:
- Remove obsolete hardening-wrapper support from Dpkg::Vendor::Ubuntu.
- Bump $Dpkg::Deps::VERSION to match the one documented in CHANGES.
- Ignore by default debian/files.new and debian/files for all source
formats in Dpkg::Source::Package, because these are generated files
with well known pathnames, part of the public interface, and with
dpkg-genbuildinfo always injecting .buildinfo entries into
debian/files, this meant this could disrupt previous workflows based
on not cleaning the source tree.
* Documentation:
- Many spelling fixes.
- Do not include mispellings in changelogs, as that makes detecting them
more difficult.
* Build system:
- Use libexec variable for auxiliary internal programs, and set it to
/usr/lib on Debian and derivatives.
- Check that the detected tar is a GNU tar.
- Check that the detected patch is a GNU patch, so that we get a directory
traversal resistant patch implementation. This fixes CVE-2017-8283 by
delegating those checks to patch(1), so that we trap blank-indented
diff hunks trying to escape from the source tree.
* Test suite:
- Add a test case for blank-indented patches which were the cause for
CVE-2017-8283.
- Handle files with non-zero sizes in c-tarextract libdpkg test code.
dpkg (1.18.23) unstable; urgency=medium
* Handle unmatched arch-qualified virtual packages in dpkg-genbuildinfo,
instead of letting perl die. Closes: #849944
* Declare .buildinfo format as stable with version 1.0.
* Do not depend on cxxabi.h to have declared __cxa_pure_virtual, use
the same “__cxxabiv1” namespace as specified in the C++ ABI, instead
of using the “abi” alias intended for use by userland.
Thanks to Jörg Sonnenberger <joerg@netbsd.org>.
* Add a comment on any C code switch case that falls through. Fixes new
gcc-7 warnings.
* Use snprintf() instead of sprintf() in libdpkg when constructing the ar
member header, as we might overflow depending on the input data.
* Portability:
- Do not redeclare sys_siglist in libcompat when the system does so.
Thanks to Thomas Klausner <wiz@NetBSD.org>.
- Rename err variable to ret in start-stop-daemon as the former is a
function on BSDs.
- Use 5-argument kvm_getprocs() call form on OpenBSD in start-stop-daemon.
- Use correct struct kinfo_proc ruid submember name on NetBSD in
start-stop-daemon.
- Define _KMEMUSER for NetBSD to get declarations for various
struct kinfo_proc members in start-stop-daemon.
* Perl modules:
- Do not special case EM_SPARC32PLUS for NetBSD in Dpkg::Shlibs::Objdump,
the code has been fixed in NetBSD as that situation could not happen.
- Fix read() error handling in Dpkg::Shlibs::Objdump::get_format() to
gracefully ignore non-ELF files again. Closes: #854536
- Emit an explicit warning from Dpkg::Shlibs::Objdump::Object::analyze()
for unknown executable formats instead of relying on objdump doing so.
- Do not parse bogus ELF binaries in Dpkg::Shlibs::Objdump::get_format().
Reported by Niels Thykier <niels@thykier.net>.
- Add ‘.mnt-ignore’ to the default ignore lists in Dpkg::Source::Package,
as we were already ignoring the ‘_MTN’ pathnames. Closes: #855450
Thanks to Nicolas Boulenguez <nicolas@debian.org>.
- Mark kfreebsd-amd64, kfreebsd-i386, sparc and sparc64 architectures as
having gcc builtin PIE in Dpkg::Vendor::Debian.
- Switch PIE handling in Dpkg::Vendor::Debian to have no default (!) and
delegate the setting to gcc or an explicit request by a user. This is
needed to cope with the general PIE brokenness situation in Debian, and
the current specific brokenness of a Debian gcc patch mangling the dpkg
build flags. Closes: #848129, #845550
* Documentation:
- Clarify the requirements for deb-conffile(5) pathnames. Closes: #854417
Proposed by Dieter Adriaenssens <dieter.adriaenssens@gmail.com>.
- Document dpkg-source --before-build and --after-build in --help output.
- Document dpkg-buildpackage --ignore-builtin-builddeps in --help output.
* Build system:
- Check <sys/proc.h> by also including <sys/param.h>, on several BSD
systems the header is not self-contained.
- Handle libmd implementations built into system libc, as found on some
BSD systems.
- Do not fail on missing compression libraries or headers on automatic
detection mode. Regression introduced in dpkg 1.18.14.
* Test suite:
- Use the detected perl interpreter instead of a random one from PATH.
[ Updated programs translations ]
* Dutch (Frans Spiesschaert). Closes: #856325
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated man pages translations ]
* Dutch (Frans Spiesschaer). Closes: #856326
-- Guillem Jover <guillem@debian.org> Mon, 06 Mar 2017 05:41:11 +0100
dpkg (1.16.17) wheezy-security; urgency=high
[ Guillem Jover ]
* Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
* Fix an off-by-one write access in dpkg-deb when parsing the old format
.deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
Fixes CVE-2015-0860.
* Fix an off-by-one read access in dpkg-deb when parsing ar member names.
Thanks to Hanno Böck <hanno@hboeck.de>.
[ Updated programs translations ]
* Catalan (Jordi Mallach).
[ Updated man page translations ]
* Fix incorrect translation in German (Helge Kreutzmann)
-- Guillem Jover <guillem@debian.org> Wed, 25 Nov 2015 22:34:58 +0100
dpkg (1.16.16) wheezy-security; urgency=high
[ Guillem Jover ]
* Do not leak long tar names on bogus or truncated archives.
* Do not leak the filepackages iterator when a directory is used by other
packages.
* Do not leak color string on «dselect --color».
* Fix memory leaks when parsing alternatives.
* Fix memory leaks in buffer_copy() on error conditions.
* Fix possible out of bounds buffer read access in the error output on
bogus ar member sizes.
* Fix file triggers/Unincorp descriptor leak on subprocesses. Regression
introduced with the initial triggers implementation in dpkg 1.14.17.
Closes: #751021
* Fix a descriptor leak on dselect subprocesses when --debug is used.
* Do not run qsort() over the scandir() list in libcompat if it is NULL.
* Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and
GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX.
Although this should not have security implications as the buffer is
surrounded by two arrays (so those catch accesses even if the stack
grows up or down), and we are compiling with -fstack-protector anyway.
* Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
Closes: #731530
* Fix off-by-one error in libdpkg command argv size calculation.
Based on a patch by Bálint Réczey <balint@balintreczey.hu>. Closes: #760690
* Escape package and architecture names on control file parsing warning,
as those get injected into a variable that is used as a format string,
and they come from the package fields, which are under user control.
Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
Reported by Joshua Rogers <megamansec@gmail.com>.
* Do not match partial field names in control files. Closes: #769119
Regression introduced in dpkg 1.10.
* Fix out-of-bounds buffer read accesses when parsing field and trigger
names or checking package ownership of conffiles and directories.
Reported by Joshua Rogers <megamansec@gmail.com>.
* Add powerpcel support to cputable. Thanks to Jae Junh <jaejunh@embian.com>.
* Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should
only accept [\r\t ] as trailing whitespace, although RFC4880 does not
clarify what whitespace really maps to, we should really match the GnuPG
implementation anyway, as that's what we use to verify the signatures.
Reported by Jann Horn <jann@thejh.net>. Fixes CVE-2015-0840.
[ Raphaël Hertzog ]
* Drop myself from Uploaders.
[ Updated scripts translations ]
* Fix typos in German (Helge Kreutzmann)
* Swedish (Peter Krefting).
[ Updated man page translations ]
* Fix typos in German (Helge Kreutzmann)
* Swedish (Peter Krefting).
-- Guillem Jover <guillem@debian.org> Thu, 09 Apr 2015 08:45:47 +0200
dpkg (1.16.15) wheezy-security; urgency=high
[ Guillem Jover ]
* Test suite:
- Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
- Add test case for patch disabling hunks; not security sensitive.
* Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
traversal attempts from hostile source packages when unpacking them.
Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
directory traversal; meanwhile also independently found by me both
#749183 and what was supposed to be #746498, which was later on published
and ended up being just a subset of the other non-reported issue.
Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
[ Updated programs translations ]
* Merge translated strings from master.
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated man page translations ]
* Merge translated strings from master.
* Unfuzzy or update trivial translations (Guillem Jover).
-- Guillem Jover <guillem@debian.org> Thu, 05 Jun 2014 22:24:36 +0200
dpkg (1.16.14) wheezy-security; urgency=high
[ Guillem Jover ]
* Do not allow patch files with C-style encoded filenames. Closes: #746306
Fixes CVE-2014-3127 and unconditionally fixes CVE-2014-0471.
Reported by Javier Serrano Polo <javier@jasp.net>.
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated man page translations ]
* German (Helge Kreutzmann).
-- Guillem Jover <guillem@debian.org> Wed, 30 Apr 2014 08:14:16 +0200
dpkg (1.16.13) wheezy-security; urgency=high
[ Guillem Jover ]
* Do not NULL-terminate the list in the compat scandir(), as this might
cause a segfault in case the function returns 0 entries.
* Do not generate perl warnings on undef versions in
Dpkg::Deps::deps_compare(). See: #737731
* Do not overwrite triplet mappings with latter matches in Dpkg::Arch.
Required for the new mipsn32(el) and mips64(el) architecture entries.
* Add support for mipsn32(el) and mips64(el) to arch tables.
Thanks to YunQiang Su <wzssyqa@gmail.com>. Closes: #685096, #707323
* Add ppc64el support to cputable. Closes: #718945
Thanks to Jeff Bailey <jeffbailey@google.com>.
* Add OpenRISC or1k support to cputable.
Thanks to Christian Svensson <christian@cmd.nu>. Closes: #736717
* Clarify that dpkg --set-selections needs an up-to-date available db,
by documenting it on the dpkg(1) man page, and warning whenever dpkg
finds unknown packages while setting the selections. Closes: #703092
* Improve documentation on how to update the available database before
setting package selections. Suggested by Klaus Ita <koki.eml@gmail.com>.
* Recognize «start-stop-daemon -C» as documented. Closes: #719746
Reported by Brian S. Julin <bri@abrij.org>.
* Correctly parse C-style diff filenames in Dpkg::Source::Patch, to avoid
directory traversal attempts from hostile source packages when unpacking
them. Reported by Jakub Wilk <jwilk@debian.org>. Fixes CVE-2014-0471.
[ Updated scripts translations ]
* Fix a typo in the German scripts translation.
[ Updated man page translations ]
* Fix and unify translation in German man pages.
-- Guillem Jover <guillem@debian.org> Fri, 25 Apr 2014 04:38:33 +0200
dpkg (1.16.12) stable; urgency=low
* Fix value caching in Dpkg::Arch by not shadowing the variables.
Closes: #724949
-- Guillem Jover <guillem@debian.org> Mon, 30 Sep 2013 16:52:37 +0200
dpkg (1.16.11) stable; urgency=low
[ Raphaël Hertzog ]
* Fix usage of non-existent _() function in multiple places of the Perl
code. Thanks to Lincoln Myers <lincoln@netapp.com> for the patch.
Closes: #708607
[ Guillem Jover ]
* Fix chmod() arguments order in Dpkg::Source::Quilt. Closes: #710265
Thanks to Pablo Oliveira <pablo@sifflez.org>.
* Only ignore older packages if the existing version is informative. This
allows any program using libdpkg to parse the available file to see again
packages with versions lesser than 0-0 (like 0~0-0). Closes: #676664
* Fix use after free in dpkg_arch_load_list() on libdpkg.
Reported by Pedro Ribeiro <pedrib@gmail.com>.
[ Updated programs translations ]
* Vietnamese (Trần Ngọc Quân). Closes: #715334
[ Added man page translations ]
* Italian (Beatrice Torracca). Closes: #711647
[ Updated man page translations ]
* Japanese (TAKAHASHI Motonobu). Closes: #704240
-- Guillem Jover <guillem@debian.org> Mon, 23 Sep 2013 16:51:18 +0200
Problems found locating distfiles:
Package colorls: missing distfile ls.tar.gz
Package molden: missing distfile molden-4.6/molden4.6.tar.gz
Package softmaker-office-demo: missing distfile ofl06trial.tgz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
with some fixes mentioned in PR pkg/47234.
dpkg (1.16.10) unstable; urgency=low
[ Guillem Jover ]
* Fix typos in 1.16.9 changelog entry. Closes: #691954
Thanks to Nicolás Alvarez <nicolas.alvarez@gmail.com>.
* Add missing @LIBLZMA_LIBS@ to Libs.Private in libdpkg.pc.in.
* Do not use an undefined va_list variable in dpkg_put_errno().
* Abort installation if we cannot set the security context for a file.
* Fix OpenPGP armored signature parsing, to be resilient against doctored
input, including source package control files. Closes: #695919
* Make sure the OpenGPG armor contains a signature block, even on EOF.
* Do not accept Armor Header Lines inside a paragraph.
* Do not abort dselect when multiarch is detected, as that only makes
users downgrade and hold on an older version w/ worse multiarch support.
* Fix warning in Dpkg::Source::Archive with «perl -w» due to redefinition
of getcwd() by removing unused POSIX modules usage. Closes: #700978
[ Updated programs translations ]
* Esperanto (Felipe Castro).
* Spanish (Javier Fernández-Sanguino).
* Vietnamesea (Trần Ngọc Quân). Closes: #692100
[ Updated scripts translations ]
* Fix mistranslation in French translation of scripts.
Thanks to Filipus Klutiero. Closes: #698530
* Fix typos in French translation of scripts.
Thanks to Sylvestre Ledru. Closes: #702627
* Fix Russian translation (wrong order of parameters in a string).
Thanks to Andrey Rahmatullin for noticing and Yuri Kozlov for fixing
the translation. Closes: #698869
-- Guillem Jover <guillem@debian.org> Fri, 08 Mar 2013 04:41:26 +0100
dpkg (1.16.9) unstable; urgency=low
[ Raphaël Hertzog ]
* Fix dpkg-source regression in "3.0 (quilt)" source packages while
unapplying patches that remove all files in a directory. Closes: #683547
* Fix segfault in field format parsing on empty strings, affecting
«dpkg-query -W -f ''» and «dpkg-deb -W --showformat=''». LP: #1035512
* Fix dpkg's French usage string which was missing the final “s“ in
--print-foreign-architectures. Closes: #685863
[ Guillem Jover ]
* Use “statoverrides” instead of “statusoverrides” in dpkg-statoverride.
Closes: #686995
* Comment out dpkg(1) documentation about disabled --command-fd option.
Closes: #685677
* Cleanup dpkg-divert unit-test environment to avoid build failures.
Closes: #687656
* Fix update-alternatives test suite to behave correctly on non-Debian
binary paths. Known to be affecting at least Gentoo and Mac OS X.
* Do not leak subcall command arguments in update-alternatives.
* Fix segfault on update-alternatives when passing --slave without any
action at all. LP: #1037431
* Fix memory leak in dpkg filesavespackage().
* Do not print garbage (or worse) on dpkg shared conffile debug output.
* Use a hash instead of a ref to a hash for keys() in Dpkg::BuildFlags
get_feature_areas(). This causes compilation failures with older perl
versions, which can be an issue with partial upgrades.
* Fix filter subpattern debug output format string to print an actual
value instead of just blanks.
* Ignore trailing filter subpattern slashes on reinclusion comparison.
This makes sure to reinclude directories previously excluded so that
contained files marked for inclusion do not fail to unpack due to a
missing directory. Closes: #688416
* Do not consider obsolete conffiles as actively owned by the package.
This ensures conffile entries are not mishandled nor mixed up when
configuring packages owning the non-obsolete conffiles. Closes: #689836
Based on a patch by Andreas Beckmann <debian@abeckmann.de>.
* Properly mark in the database obsolete conffiles on package replaces.
* Sync the Conffiles field values for all package instances. Because
only the first package instance being configured will have a *.dpkg-new
conffile available to be processed, the subsequent ones need to use the
hash from the previously processed entries.
* Fix logic for previously configured conffiles, so that the shared
conffile checks actually work on reinstallation. Closes: #684776
* Avoid info database corruption and bogus accesses on unknown format
values, by always reading the format file and validating it.
* Clarify that the most probable reason for multiarch database
inconsistencies is due to upgrades from unofficial dpkg versions.
* Only satisfy a dependency on a “Multi-Arch: foreign” if arch-unqualified.
* Take architecture into account in virtual packages on remove and
configure dpkg actions. Closes: #683411
* Update update-alternatives --query format and examples in man page to
match the implementation.
* Add two missing 3rd person ‘s’ in dpkg-gensymbols(1). Closes: #689863
Thanks to Paul Menzel <pm.debian@googlemail.com>.
* Fix regression on old-style binNMUs for packages that specify an
explicit binary version to dpkg-gencontrol, by always fixing up the
source version. Closes: #690823
[ Updated programs translations ]
* Catalan (Guillem Jover).
* Czech (Miroslav Kure).
* Danish (Joe Dalton). Closes: #690808
* French (Christian Perrier).
* German (Sven Joachim).
* Italian (Milo Casagrande).
* Japanese (Kenshi Muto).
* Polish (Michał Kułach). Closes: #690449
* Portuguese (Miguel Figueiredo). Closes: #682582, #690431
* Russian (Yuri Kozlov). Closes: #688050, #690415
* Slovak (Ivan Masár). Closes: #690426
* Swedish (Peter Krefting).
* Thai (Theppitak Karoonboonyanan). Closes: #690678
* Traditional Chinese (imacat). Closes: #687002
[ Updated scripts translations ]
* Polish (Michał Kułach). Closes: #683104
* Spanish (Omar Campagne). Closes: #685297
[ Updated dselect translations ]
* Basque (Iñaki Larrañaga Murgoitio). Closes: #686421
* Czech (Miroslav Kure).
* Danish (Joe Dalton). Closes: #689820
* Polish (Michał Kułach).
[ Updated man page translations ]
* French (Thomas Vincent, Sylvestre Ledru, Christian Perrier).
Closes: #682978, #683221
* German (Helge Kreutzmann).
* Japanese (Hideki Yamane). Closes: #685103
* Polish (Michał Kułach).
* Spanish (Omar Campagne, Guillem Jover). Closes: #683514
* Swedish (Peter Krefting).
-- Guillem Jover <guillem@debian.org> Sat, 20 Oct 2012 05:59:50 +0200
dpkg (1.16.8) unstable; urgency=low
[ Updated programs translations ]
* Esperanto (Felipe Castro).
* French (Christian Perrier).
* Polish (Michał Kułach). Closes: #680561
* Russian (Yuri Kozlov). Closes: #677850, #680411
* Slovak (Ivan Masár).
* Spanish (Javier Fernández-Sanguino)
[ Updated man page translations ]
* French (Christian Perrier).
[ Updated scripts translations ]
* French (Christian Perrier).
* Russian (Yuri Kozlov).
[ Updated dselect translations ]
* Danish (Joe Dalton). Closes: #680108
* Russian (Yuri Kozlov).
* Traditional Chinese (Asho Yeh - 阿信).
-- Guillem Jover <guillem@debian.org> Sat, 21 Jul 2012 02:11:04 +0200
dpkg (1.16.7) unstable; urgency=low
[ Guillem Jover ]
* Fix bogus dpkg-query --control-show badusage() strings.
[ Raphaël Hertzog ]
* Fix dpkg-gencontrol to correctly compute the source version
in the case of "old-style" bin-nmus. Closes: #679959
[ Updated dselect translations ]
* Catalan (Guillem Jover).
* French (Christian Perrier).
* German (Sven Joachim).
* Swedish (Peter Krefting).
[ Updated programs translations ]
* French (Christian Perrier).
* German (Sven Joachim).
* Italian (Milo Casagrande).
* Swedish (Peter Krefting).
[ Updated man page translations ]
* Swedish (Peter Krefting).
* French (Christian Perrier).
[ Updated scripts translations ]
* Swedish (Peter Krefting).
* French (Christian Perrier).
-- Raphaël Hertzog <hertzog@debian.org> Mon, 02 Jul 2012 21:16:12 +0200
dpkg (1.16.6) unstable; urgency=low
[ Guillem Jover ]
* Do not translate SE Linux context to human readable form while unpacking,
as that might cause the operation to fail if the mcstransd daemon
stopped running during the transaction. Closes: #679641
Thanks to Russell Coker <russell@coker.com.au>.
* Add --control-list and --control-show to dpkg-query --help output.
[ Raphaël Hertzog ]
* Fix import of error functions in dpkg-buildflags. Regression introduced
in 1.16.5.
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated man page translations ]
* German (Helge Kreutzmann).
-- Guillem Jover <guillem@debian.org> Sat, 30 Jun 2012 21:45:10 +0200
dpkg (1.16.5) unstable; urgency=low
[ Raphaël Hertzog ]
* dpkg-source will now clean up after a failed application of a quilt
patch. Closes: #652970
And it will display a message explaining the most likely cause of
failure (patch applying with fuzz).
* When dpkg-source regenerates the automatic patch (with formats "2.0"
or "3.0 (quilt)") it will keep the current patch header to avoid
losing changes made by the maintainer.
* Modify dpkg-source --commit to auto-whitelist modified binary files.
That way the same command can be used whatever kind of upstream files
has been modified.
* dpkg-source now supports a new option --no-unapply-patches to force
patches to be kept applied after build (used by formats "2.0" and "3.0
(quilt)"). Closes: #643043
[ Guillem Jover ]
* Add a dpkg-buildflags --status action to describe the flag settings.
Thanks to Bernhard R. Link <brlink@debian.org>. Closes: #664058
* Add support for “binary-only” key-value option in changelogs, to allow
marking changelog entries as part of a binary only upload, having a
different version from the source package. Closes: #440094, #672723
* Minimize source architecture list on «dpkg-source -b» by removing
architectures already covered by architecture wildcards. Closes: #675333
* Do not assume $ENV{'HOME'} is defined in Dpkg::Source::Package.
Thanks to Niels Thykier <niels@thykier.net>. Closes: #677631
* Document in more detail in deb(5) the supported ar archive format.
* Document in deb-src-control(5) the “Private-” field prefix.
* Add new start-stop-daemon --no-close option to disable closing file
descriptors on --background. Closes: #627333, #646425
* Switch source compression to xz.
* Detect ar header fields truncation due to too long member names or too
large member sizes. Closes: #678933
* Add new dpkg-query --control-list and --control-show commands, which
replace the now deprecated --control-path.
* Print master and slave alternarive link names in update-alternatives
--query and always print alternative link in --config. Closes: #679010
* Cleanup and clarify buffer I/O error reporting. Closes: #621763
* Avoid full stop and double newline at the end of errors and warnings.
Thanks to Jonathan Nieder <jnieder@gmail.com>. Closes: #624000
* Change all programs to accept -? instead of -h for help output.
* Add support for specific arch-qualified dependencies. Closes: #676232
Thanks to Thibaut Girka <thib@sitedethib.com>.
* Accept “:native” arch-qualified Build-Dependencies. Closes: #558095
Thanks to Thibaut Girka <thib@sitedethib.com>.
* Do not use undefined values returned form deps_parse() in dpkg-shlibdeps.
Closes: #640676
* Add an Architecture column to «dpkg-query -l» before the Description
column. Suggested by Jonathan Nieder <jnieder@gmail.com>. Closes: #673190
[ Updated dpkg translations ]
* Swedish (Peter Krefting).
[ Updated dselect translations ]
* Swedish (Peter Krefting).
[ Updated scripts translations ]
* German (Helge Kreutzmann).
[ Updated man page translations ]
* German (Helge Kreutzmann).
* Swedish (Peter Krefting).
-- Guillem Jover <guillem@debian.org> Sat, 30 Jun 2012 04:28:51 +0200
dpkg (1.16.4.3) unstable; urgency=low
* On «update-alternatives --install» only warn for now on out of range
priorities and clamp the values, as there seems to be packages using
priorities > INT_MAX, which although bogus as they were previously
overflowing the int used to store them, that would cause installation
failures when upgrading from squeeze. This will be reverted to an
error after wheezy. Closes: #676874
-- Guillem Jover <guillem@debian.org> Sun, 17 Jun 2012 10:56:15 +0200
dpkg (1.16.4.2) unstable; urgency=low
* Check correctly for out of range negative field width values in dpkg-query
--show format strings. Regression introduced in 1.16.4. Closes: #676796
-- Guillem Jover <guillem@debian.org> Sat, 09 Jun 2012 16:16:17 +0200
dpkg (1.16.4.1) unstable; urgency=low
* Fix explicit file trigger activation. Regression introduced in 1.16.4.
Closes: #676684
-- Guillem Jover <guillem@debian.org> Fri, 08 Jun 2012 23:17:11 +0200
dpkg (1.16.4) unstable; urgency=low
[ Guillem Jover ]
* Deprecate compressing .deb files with lzma, by making dpkg-deb issue a
warning, as the format has several deficiencies that have been addressed
by upstream in xz. Although unpacking will be kept being supported to
handle existing lzma compressed .deb files.
* Add alternative changelog formats documentation from the policy manual
to dpkg-parsechangelog(1). Closes: #584141
* Add MiNT support to ostable and triplettable.
Requested by Thorsten Glaser <tg@mirbsd.de>.
* Add new frontend.txt file to dpkg-dev documenting some public interfaces
for dpkg frontends. Closes: #670897
* Clarify in dpkg(1) when --force-conf* options cause action.
Suggested by Sven Joachim <svenjoac@gmx.de>. Closes: #391818
* Add “gcc | c-compiler” to libdpkg-perl Suggests, due to Dpkg::Arch usage.
Closes: #671198
* Do not mask PIE from dpkg-buildflags on m68k, it appears to work now.
Requested by Thorsten Glaser <tg@mirbsd.de>.
* Remove deprecated support for PGP style signing command interface from
dpkg-buildpackage.
* Remove obsolete --udeb dpkg-scanpackages option.
* Add arm64 support to cputable. Closes: #672408
Thanks Wookey <wookey@wookware.org>.
* Check parsed integers for invalid or no digit errors in start-stop-daemon
and update-alternatives.
* Check all parsed integers for out of range errors; i.e. that no negative
values are allowed if not appropriate, and that no overflows occur.
Closes: #580038
* Switch start-stop-daemon(8) man page examples from /var/run to /run.
* Do not obscure Dpkg::Source::Package ‘require’ errors with custom
error message. Thanks to Thomas Adam <thomas.adam@smoothwall.net> and
Jonathan Nieder <jrnieder@gmail.com>.
* Add new Dpkg::Substvars::set_as_used() member function.
* Rename Dpkg::Substvars no_warn() member function to mark_as_used(), keep
the old name aliased to the new one producing a deprecation warning.
* Add support for Build-Depends-Arch and Build-Conflicts-Arch fields, and
a new -A option to dpkg-checkbuilddeps. Closes: #629480
Thanks to Roger Leigh <rleigh@debian.org>.
* Add support for “none” as a valid dpkg-deb compression strategy value.
Closes: #674711
* Clarify in dpkg(1) that the «dpkg -l» example only lists installed
packages, and that to list available packages «dpkg-query --load-avail»
has to be used instead. Closes: #673305
* Clarify also in the dpkg(1) man page (already present in the dpkg.cfg(5)
man page) the valid filenames for /etc/dpkg/dpkg.cfg.d/ fragment files.
Closes: #674674
* Fix start-stop-daemon to not follow symlinks when creating pidfiles.
Thanks to Carsten Hey <carsten@debian.org>. Closes: #675918
* Refactor the file locking logic into a new Dpkg::File module, and move
the libfile-fcntllock-perl dependency from dpkg-dev to libdpkg-perl.
* Demote the libfile-fcntllock-perl Depends to a Recommends by falling back
to use flock based locking, because it being an XS module makes building
a new perl package bumping the perl ABI impossible, as both packages
become uninstallable. Thanks to Dominic Hargreaves <dom@earth.li>.
Closes: #675947
* Put an & before field_capitalize() calls in Dpkg::Control::Fields to
fix a usage before declaration warning with perl 5.16. Closes: #676262
* Do not warn in dpkg-divert on missing files list file for packages never
installed before. Closes: #673518
* Add support for liblzma to handle .xz and .lzma compressed files, and
switch to it instead of using xz-utils. This removes the xz-utils
Pre-Depends from dpkg. Thanks to Jonathan Nieder <jrnieder@gmail.com>.
* Always activate all path components for file triggers, this fixes file
trigger handling for conffiles and dpkg-trigger invocations.
Closes: #675613, #676061, #676062, #676107, #676118, #676122
* Do not reset Multi-Arch field in the update log when removing the package.
Closes: #676496
* Fix dpkg-split to honour the DPKG_ADMINDIR environment variable.
[ Updated man page translations ]
* German (Helge Kreutzmann).
* French (Christian Perrier). Fixes a mistranslation and some
inconsistencies reported by Vincent Danjean( thanks). Closes: #673158
-- Guillem Jover <guillem@debian.org> Thu, 07 Jun 2012 23:43:19 +0200
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
about the Perl version. Instead of baking the version number into the
PLIST, control it from the Makefile. Also, depend on the current
major/minor version of Perl. Ideally this version should come from
something in lang/perl5, but there isn't any obvious way to do that.
But at least now this only has to be updated in one place when Perl
changes.
Bump PKGREVISION because of the depends changes.
Lots of upstream changes since 1.10.28 (three years ago).
pkgsrc changes:
- the database location has changed to ${VARBASE}/db/dpkg
- man pages are installed
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries. From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
