Publishing details

Changelog

dpkg (1.18.24) unstable; urgency=medium

  [ Guillem Jover ]
  * Add missing symbols to the libdpkg map file.
  * Fix dpkg-shlibdeps to preserve the Dpkg::Shlibs::find_library() order
    when scanning symbols/shlibs files. This was causing generation of bogus
    dependencies when multiple packages provide the same SONAME on different
    directories. Regression introduced in dpkg 1.18.17. Closes: #860979
  * Make dpkg-maintscript-helper print all unowned files from a directory
    when printing the error message, to ease debugging those problems after
    the fact. Closes: #813454, #860238
    Based on a patch by Bastien ROUCARIÈS <email address hidden>.
  * Add duplicate prevention code for debian/files to dpkg-genbuildinfo, so
    that successive runs with different versions and equivalent build types
    do not generate multiple .buildinfo entries to be uploaded, which is
    similar to what dpkg-gencontrol is doing for .deb files.
  * Fix conffile takeover handling during unpack in dpkg on --root or
    on diversions. Closes: #837051, #858004
  * Fix digest inference for shared conffiles, causing bogus takeover
    unpack errors. Regression introduced in dpkg 1.16.9. Closes: #861217
  * Improve tar entry metadata parsing in dpkg:
    - Do not parse device numbers for non block nor char tar entry objects.
    - Make the existing octal parser more robust, by checking for the
      expected format of leading zeros or spaces, followed by any ASCII
      octal characters (0-7), followed by zero or more space or NULs.
    - Add support for base-256 encoded numeric fields, to support large
      values, for UID/GID, device number, size and even signed timestamps.
      This is necessary not only to be able to store larger values, but to
      cover packages that can already be generated by dpkg-deb, given that
      it uses the system GNU tar when building. Closes: #850834
  * Architecture support:
    - Add support for ARM64 ILP32. Closes: #824742
      Thanks to Wookey <email address hidden>.
  * Perl modules:
    - Remove obsolete hardening-wrapper support from Dpkg::Vendor::Ubuntu.
      Thanks to Adam Conrad <adconrad@0c3.net>.
    - Bump $Dpkg::Deps::VERSION to match the one documented in CHANGES.
    - Ignore by default debian/files.new and debian/files for all source
      formats in Dpkg::Source::Package, because these are generated files
      with well known pathnames, part of the public interface, and with
      dpkg-genbuildinfo always injecting .buildinfo entries into
      debian/files, this meant this could disrupt previous workflows based
      on not cleaning the source tree.
  * Documentation:
    - Many spelling fixes. Thanks to Josh Soref <email address hidden>.
    - Do not include mispellings in changelogs, as that makes detecting them
      more difficult.
  * Build system:
    - Use libexec variable for auxiliary internal programs, and set it to
      /usr/lib on Debian and derivatives.
    - Check that the detected tar is a GNU tar.
    - Check that the detected patch is a GNU patch, so that we get a directory
      traversal resistant patch implementation. This fixes CVE-2017-8283 by
      delegating those checks to patch(1), so that we trap blank-indented
      diff hunks trying to escape from the source tree.
  * Test suite:
    - Add a test case for blank-indented patches which were the cause for
      CVE-2017-8283.
    - Handle files with non-zero sizes in c-tarextract libdpkg test code.

  [ Updated programs translations ]
  * Catalan (Guillem Jover).
  * Czech (Miroslav Kure).

  [ Updated dselect translations ]
  * Catalan (Guillem Jover).

  [ Updated scripts translations ]
  * Catalan (Guillem Jover).

  [ Updated man pages translations ]
  * German (Helge Kreutzmann, David Rabel). Closes: #857449
  * Spanish (Javier Fernández-Sanguino).

 -- Guillem Jover <email address hidden>  Wed, 17 May 2017 13:16:25 +0200

Builds

Package files