Accepted gvfs 1.42.1-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 Oct 2019 15:40:15 +0100
Source: gvfs
Architecture: source
Version: 1.42.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 921816 927221 929755 930376 940026
Changes:
gvfs (1.42.1-1) unstable; urgency=medium
.
* Team upload
* Merge changelog entries from unstable
* New upstream release
- dav: Fix mounting when 403 is returned for the parent folder
- Revert "sftp: Always use port 22 if not specified"
to fix use of a configured port number in ~/.ssh/config
- Translation updates: da, de, nl
* Upload to unstable, now that the required gsettings-desktop-schemas
is available in testing
.
gvfs (1.42.0+really1.38.1-1) unstable; urgency=medium
.
* Team upload
* Re-release 1.38.1-5 to unstable to overwrite premature upload of
1.42.x. Versions 1.42.x depend on a gsettings-desktop-schemas version
from experimental that cannot go to unstable until the mutter and
evolution-data-server transitions for GNOME 3.34 are ready.
(Closes: #940026)
- d/gbp.conf: Set packaging branch to debian/unstable
.
gvfs (1.38.1-5) unstable; urgency=high
.
* Team upload
* d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
Add missing authentication, preventing a local attacker from connecting
to an abstract socket address learned from netstat(8) and issuing
arbitrary D-Bus method calls
* d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
Harden private D-Bus connection by rejecting the more complicated
DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.
.
gvfs (1.38.1-4) unstable; urgency=high
.
* Team upload
* Update from upstream gnome-3-30 branch to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
.
gvfs (1.38.1-3) unstable; urgency=high
.
* Team upload
* d/p/admin-Prevent-access-if-any-authentication-agent-isn-t-av.patch:
Add patch from upstream to prevent members of the sudo group from
bypassing the intended password check for privileged access to files
via the admin: backend if no polkit authentication agents are
available (CVE-2019-3827, Closes: #921816)
* d/p/*: Update to upstream gnome-3-30 branch, commit 1.38.1-9-gd4dab113
- admin: Fix CVE-2019-3827 (see above)
- autorun: Don't crash if an autorun file is not valid UTF-8
- mtp: Don't busy-loop retrying reading an event after failure
- udisks2: Reinstate support for deprecated comment=x-gvfs-show fstab
option syntax (but please use x-gvfs-show instead)
- tests: Use the right SMB port if running in the sandbox
- Update translations: eu, sk, sr
* d/gbp.conf: Configure for debian/buster and upstream/1.38.x branches
* d/control: Use debian/buster branch in Vcs-Git
.
gvfs (1.42.0+really1.42.0-1) experimental; urgency=medium
.
* Team upload
* Re-upload 1.42.x to experimental, with a higher version number than
the revert to 1.38.x in unstable. It isn't ready for unstable just yet.
(Closes: #940026)
.
gvfs (1.42.0-1) unstable; urgency=medium
.
* New upstream release
.
gvfs (1.41.91-1) experimental; urgency=medium
.
[ Simon McVittie ]
* Add bug number and CVE ID to previous changelog entry
.
[ Iain Lane ]
* debian/watch: Find unstable versions
* New upstream release
+ admin: Add query_info_on_read/write functionality (CVE-2019-12448)
+ admin: Allow changing file owner (CVE-2019-12447)
+ admin: Ensure correct ownership when moving to file:// uri
(CVE-2019-12449)
+ admin: Prevent core dumps when daemon is manually started
+ admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
+ afc: Remove assumptions about length of device UUID to support new
devices
+ afp: Fix afp backend crash when no username supplied
+ build: Add dependency on gsettings-desktop-schemas
+ build: Bump required meson version to 0.50.0
+ build: Define gvfs_rpath for libgvfsdaemon.so
+ build: Several meson improvements
+ daemon: Check that the connecting client is the same user
(CVE-2019-12795)
+ daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
+ daemon/udisks2: Handle lockdown option to disable writing
+ daemon: Unify some translatable strings
+ fuse: Adapt gvfsd-fuse to use fuse 3.x
+ fuse: Define RENAME_* macros when they are not defined
+ fuse: Remove max_write limit
+ gmountsource: Fix deadlocks in synchronous API
+ google: Check ownership in is_owner() without additional HTTP request
+ google: Disable deletion of non-empty directories
+ google: Do not enumerate volatile entries if title matches id
+ google: Fix crashes when deleting if the file isn't found
+ google: Fix issue with stale entries remaining after rename operation
+ google: Support deleting shared Google Drive files
+ proxy: Don't leak a GVfsDBusDaemon
+ udisks2: Change display name for crypto_unknown devices
* debian/patches: Drop backported patches. We're further ahead now.
.
gvfs (1.40.1-3) experimental; urgency=medium
.
* Team upload
* d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
Add missing authentication, preventing a local attacker from connecting
to an abstract socket address learned from netstat(8) and issuing
arbitrary D-Bus method calls
(Closes: #930376, CVE-2019-12795)
* d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
Harden private D-Bus connection by rejecting the more complicated
DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL
.
gvfs (1.40.1-2) experimental; urgency=medium
.
* Team upload
* Update from upstream gnome-3-32 branch, commit 1.40.1-9-gec939a01,
to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
- Fix deadlocks in synchronous API
- Various fixes for afc backend
- Update translation: zh_CN
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
.
gvfs (1.40.1-1) experimental; urgency=medium
.
* New upstream release
.
gvfs (1.40.0-1) experimental; urgency=medium
.
* New upstream release
* Drop test-Remove-trailing-newline-from-the-IP-string.patch: Applied
.
gvfs (1.39.91-1) experimental; urgency=medium
.
* New upstream development release
* Add test-Remove-trailing-newline-from-the-IP-string.patch:
- Proposed patch to fix autopkgtest with glibc 2.29
.
gvfs (1.39.90-1) experimental; urgency=medium
.
* New upstream development release
* Bump minimum meson to 0.49.0
Checksums-Sha1:
c7f93e04f5be2794ac9a14b2cc190e2990a15904 3396 gvfs_1.42.1-1.dsc
7741122e301544a7a50fe057dcb421a60b0778f5 1204916 gvfs_1.42.1.orig.tar.xz
9388a90539c522b759c6101937ccfb585a36fa96 24508 gvfs_1.42.1-1.debian.tar.xz
f9a492075035d302151f479eb487617fa353cdf0 19187 gvfs_1.42.1-1_source.buildinfo
Checksums-Sha256:
6683cea560e042a5ca29a518f6e390a79950c6d6cc65c3e2a0a31f2159c8555b 3396 gvfs_1.42.1-1.dsc
9d06071b4a1d83671f76d0e3c32b66631671669d330fe21702f60a8611c37730 1204916 gvfs_1.42.1.orig.tar.xz
cc39d4466805abb4c8fd91fcc85b19d308ead56e64c81c7e772ee64f1b21c227 24508 gvfs_1.42.1-1.debian.tar.xz
d795f278d23cce5b189a70d27de20422bd46d1e1499595842f4ff50f57ff3edf 19187 gvfs_1.42.1-1_source.buildinfo
Files:
ba478b7038a6b4df058837378fb25121 3396 gnome optional gvfs_1.42.1-1.dsc
93592535508322548d44fa036b635a0a 1204916 gnome optional gvfs_1.42.1.orig.tar.xz
43fc9e8356c1bc33d06c4bd58e55624b 24508 gnome optional gvfs_1.42.1-1.debian.tar.xz
86f64d39f1bbdc3566ce99475bcc1eee 19187 gnome optional gvfs_1.42.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl2bVI4ACgkQ4FrhR4+B
TE+Yng//a8G5BPV2msyisPs9nAWKNXxpfQm5OtzHm33Sm4giMJl1cMDKowI5pVeL
ZvjY/EPO89fThzS/5+nmVnFnkSv+GH5L/pdR3zN1b1plOOmtaelmpu809CO+zkT+
486Etfw3dON0RKBz0+ix6ls9wDrSehALcur9qolFFa7V2QRZCdPAj3cEtBOmK3Sa
cBRn/ULWO4KEqTJ3+ENWZIpdoSpX+ypqVc8HYKHEZDLXgvX/H9+m6TarbNl1A1Gf
KkhT+82Fth4SwuZd1cx0Hj1TbdFMCphXShTWUAM8tPNYTOr0fdcbfhZvYh2O99Ll
TcigQbWiWWtL9er75XOacj+D4OGyK5YbeJLeQzFPYNkSHWyB/7umQ6n7T4sBY+Qq
JkBsCF1MX2bhm41bL6QYeLoLpz9DoFmpwYZJr/3GQBg2msh4/HKRz0fxJCa6Bc9p
O0WCD1qVXEpcyRy5kgOMP7AmfXIlEKEAlcwfs8lFR7HVw0DO0HKfzx6Lhf2luEXE
mzTwcbyhDnbM+MRDLtfnlagFgHStgLBc4Vfnl/YPDvVepvx0DGWJCYvFUa6J9+Rm
o21KhFrG7rFdpDIqwbsUcwsJuA5u994xF6ccz5a/fDHgXYzstLmXEk/Cs/slXJjP
e3yuSWbM+EKqIFuAile7iEqkRtrwn0XHuhbfyj+db85FqMRdxl4=
=gQYP
-----END PGP SIGNATURE-----