debian/control · 8d908f2b522a8dd8db0b396d62ae546d87ff146a · pkg / gvfs

5 years ago

Import Debian changes 1.38.1-5 · 8d908f2b

Simon McVittie authored 5 years ago

gvfs (1.38.1-5) unstable; urgency=high

  * Team upload
  * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
    Add missing authentication, preventing a local attacker from connecting
    to an abstract socket address learned from netstat(8) and issuing
    arbitrary D-Bus method calls
  * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
    Harden private D-Bus connection by rejecting the more complicated
    DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.

gvfs (1.38.1-4) unstable; urgency=high

  * Team upload
  * Update from upstream gnome-3-30 branch to fix the admin backend
    (Closes: #929755)
    - Implement query_info_on_read/write to fix some race conditions
      (CVE-2019-12448)
    - Ensure that created files get the correct ownership (CVE-2019-12247)
    - Ensure that copied files get the correct ownership (CVE-2019-12449)
  * Remove obsolete version number from fuse dependency.
    gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
    so we can safely simplify to "Depends: fuse".
    The versioned dependency is not satisfied by fuse3's unversioned
    "Provides: fuse", but the unversioned dependency is. (Closes: #927221)

8d908f2b

History

Import Debian changes 1.38.1-5

Simon McVittie authored 5 years ago

gvfs (1.38.1-5) unstable; urgency=high

  * Team upload
  * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
    Add missing authentication, preventing a local attacker from connecting
    to an abstract socket address learned from netstat(8) and issuing
    arbitrary D-Bus method calls
  * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
    Harden private D-Bus connection by rejecting the more complicated
    DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.

gvfs (1.38.1-4) unstable; urgency=high

  * Team upload
  * Update from upstream gnome-3-30 branch to fix the admin backend
    (Closes: #929755)
    - Implement query_info_on_read/write to fix some race conditions
      (CVE-2019-12448)
    - Ensure that created files get the correct ownership (CVE-2019-12247)
    - Ensure that copied files get the correct ownership (CVE-2019-12449)
  * Remove obsolete version number from fuse dependency.
    gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
    so we can safely simplify to "Depends: fuse".
    The versioned dependency is not satisfied by fuse3's unversioned
    "Provides: fuse", but the unversioned dependency is. (Closes: #927221)