-
apport (2.20.11-0ubuntu50.7) groovy-security; urgency=medium
* SECURITY UPDATE: Multiple arbitrary file reads (LP: #1917904)
- apport/hookutils.py: don't follow symlinks and make sure the file
isn't a FIFO in read_file().
- test/test_hookutils.py: added symlink tests.
- CVE-2021-32547, CVE-2021-32548, CVE-2021-32549, CVE-2021-32550,
CVE-2021-32551, CVE-2021-32552, CVE-2021-32553, CVE-2021-32554,
CVE-2021-32555
* SECURITY UPDATE: info disclosure via modified config files spoofing
(LP: #1917904)
- backends/packaging-apt-dpkg.py: properly terminate arguments in
get_modified_conffiles.
- CVE-2021-32556
* SECURITY UPDATE: arbitrary file write (LP: #1917904)
- data/whoopsie-upload-all: don't follow symlinks and make sure the
file isn't a FIFO in process_report().
- CVE-2021-32557
-- Marc Deslauriers <email address hidden> Tue, 18 May 2021 09:15:10 -0400
-
apport (2.20.11-0ubuntu50.6) groovy; urgency=medium
* data/general-hooks/ubuntu.py: tag bugs from Raspberry Pi images and RISCV
images appropriately. (LP: #1920837)
* apport/hookutils.py: spawn pkttyagent so that log files can be gathered as
root in a non-graphical environment (LP: #1821415). Thanks to Iain Lane
for the patch.
* apport/hookutils.py: root access is needed to read the
casper-md5check.json file so switch to using that. (LP: #1922937)
-- Brian Murray <email address hidden> Mon, 26 Apr 2021 12:45:36 -0700
-
apport (2.20.11-0ubuntu50.5) groovy-security; urgency=medium
* SECURITY UPDATE: multiple security issues (LP: #1912326)
- CVE-2021-25682: error parsing /proc/pid/status
- CVE-2021-25683: error parsing /proc/pid/stat
- CVE-2021-25684: stuck reading fifo
- data/apport: make sure existing report is a regular file.
- apport/fileutils.py: move some logic here to skip over manipulated
process names and filenames.
- test/test_fileutils.py: added some parsing tests.
-- Marc Deslauriers <email address hidden> Tue, 26 Jan 2021 07:21:46 -0500
-
apport (2.20.11-0ubuntu50.3) groovy; urgency=medium
* data/apport: only drop supplemental groups if we are root. (LP: #1906565)
-- Brian Murray <email address hidden> Wed, 02 Dec 2020 12:51:33 -0800
-
apport (2.20.11-0ubuntu50.2) groovy; urgency=medium
* data/apport: Modify the check for whether or not a process is running in
the same namespace so that crashes from processes running protected in the
system.slice are considered as being from the same namespace. (LP: #1870060)
-- Brian Murray <email address hidden> Mon, 16 Nov 2020 14:33:58 -0800
-
apport (2.20.11-0ubuntu50.1) groovy-security; urgency=medium
* Various security hardening fixes (LP: #1903332)
- apport/fileutils.py: drop privileges in the correct order, limit
settings file size.
- apport/apport/report.py: properly drop privileges, limit ignore file
size.
- data/apport: drop supplemental groups.
-- Marc Deslauriers <email address hidden> Tue, 10 Nov 2020 15:03:57 -0500
-
apport (2.20.11-0ubuntu50) groovy; urgency=medium
* etc/apport/crashdb.conf: Disable Launchpad crash reports for 20.10
release.
* data/apport: In the event that the crashing executable does not exist on
disk any more the path name of the executable (passed by core) is appended
with '(deleted)' because apport is currently using sys.argv for argument
parsing there end up being too many arguments and apport crashes. This is
fixed by adding handling for six arguments. (LP: #1899195)
-- Brian Murray <email address hidden> Mon, 12 Oct 2020 13:44:05 -0700
-
apport (2.20.11-0ubuntu49) groovy; urgency=medium
* data/whoopsie-upload-all: Handle the case where the .crash file is newer
than the .uploaded file by removing the .uploaded and .upload files
thereby causing the crash to get submitted. (LP: #1891657)
-- Brian Murray <email address hidden> Thu, 01 Oct 2020 15:41:28 -0700
-
apport (2.20.11-0ubuntu48) groovy; urgency=medium
* data/whoopsie-upload-all: When processing reports if a .crash file already
has a corresponding .uploaded file which is newer than the .crash file
remove the .crash file. This reduces the number of times the
apport-autoreport.service runs. (LP: #1891657)
-- Brian Murray <email address hidden> Fri, 25 Sep 2020 14:49:27 -0700
-
apport (2.20.11-0ubuntu47) groovy; urgency=medium
[ Tiago Stürmer Daitx ]
* apport/ui.py: improve message when origin check fails as it can be
caused by empty apt list - candidate is limited to dpkg and we can't
tell where it came from. (LP: #1775219)
-- Brian Murray <email address hidden> Mon, 21 Sep 2020 15:02:17 -0700
-
apport (2.20.11-0ubuntu46) groovy; urgency=medium
[ Brian Murray ]
* apport/hookutils.py: call dump_acpi_tables.py with root_command_output
thereby avoiding a PermissionError.
* data/dump_acpi_tables.py: If the user cannot read the acpi tables don't
try and print them. (LP: #1895865)
* apport/hookutils.py: use root_command_output to gather dmesg rather than
failing to include it. (LP: #1896095)
[ YC Cheng ]
* bin/oem-getlogs: add ucm2 directory. Per Hui Wang, ucm3 also
use ucm2 directory. (LP: #1893899)
* apport/hookutils.py: add new pa-info command in pulseaudio
pre requested by Hui Wang. (LP: #1893899)
-- Brian Murray <email address hidden> Mon, 21 Sep 2020 10:19:02 -0700
-
apport (2.20.11-0ubuntu45) groovy; urgency=medium
[ YC Cheng ]
* apport/hookutils.py: add acpidump using built-in dump_acpi_tables.py.
(LP: #1888352)
* bin/oem-getlogs: add "-E" in the usage, since we'd like to talk to
pulseaudio session and that need environment infomation. Also remove
acpidump since we will use the one from hook.
[ Brian Murray ]
* data/general-hooks/ubuntu.py: Check for /var/run/reboot-required.pkgs and
add it to the report as RebootRequiredPkgs.
-- Brian Murray <email address hidden> Wed, 26 Aug 2020 15:57:02 -0700
-
apport (2.20.11-0ubuntu44) groovy; urgency=medium
* SECURITY UPDATE: information disclosure issue (LP: #1885633)
- data/apport: also drop gid when checking if user session is closing.
- CVE-2020-11936
* SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
- apport/report.py: don't crash on malformed mtime values.
- CVE-2020-15701
* SECURITY UPDATE: TOCTOU in core file location
- data/apport: make sure the process hasn't been replaced after Apport
has started.
- CVE-2020-15702
* apport/ui.py, test/test_ui.py: make sure a PID is specified when using
--hanging (LP: #1876659)
-- Marc Deslauriers <email address hidden> Fri, 31 Jul 2020 09:10:30 -0400
-
apport (2.20.11-0ubuntu43) groovy; urgency=medium
* d/control: Offer real package alternatives along with x-terminal-server
for apport-gtk and apport-kde (LP: #1881976).
-- Dariusz Gadomski <email address hidden> Thu, 23 Jul 2020 08:52:46 +0200
-
apport (2.20.11-0ubuntu42) groovy; urgency=medium
* Fix pep8 errors regarding ambiguous variables.
-- Brian Murray <email address hidden> Wed, 24 Jun 2020 09:15:51 -0700
-
apport (2.20.11-0ubuntu41) groovy; urgency=medium
[ Daniel Watkins ]
* apport/crashdb_impl/launchpad.py: ensure that project will always be set
in get_comment_url. (LP: #1884221)
[ Brian Murray ]
* data/dump_acpi_tables.py: update the output thanks to Alex Hung for the
patch. (LP: #1883027)
-- Brian Murray <email address hidden> Tue, 23 Jun 2020 16:02:46 -0700
-
apport (2.20.11-0ubuntu40) groovy; urgency=medium
* Build-depend on python3-requests-unixsocket.
-- Brian Murray <email address hidden> Wed, 10 Jun 2020 12:30:43 -0700
-
apport (2.20.11-0ubuntu39) groovy; urgency=medium
* Add functionality to apport so that ubuntu-bug can be used to report a bug
about a snap using information from the snap's contact field. Thanks to
Lukas Märdian for the patch. (LP: #1861082)
-- Brian Murray <email address hidden> Wed, 10 Jun 2020 11:25:22 -0700
-
apport (2.20.11-0ubuntu38) groovy; urgency=medium
* apport/report.py: If the user is not a part of any system groups then
set UserGroups to 'N/A'. (LP: #1427600)
-- Brian Murray <email address hidden> Wed, 03 Jun 2020 15:32:17 -0700
-
apport (2.20.11-0ubuntu37) groovy; urgency=medium
* apport/report.py: If the user is not a part of any system groups then
set UserGroups to an empty string. (LP: #1427600)
-- Brian Murray <email address hidden> Tue, 02 Jun 2020 10:19:45 -0700
-
apport (2.20.11-0ubuntu36) groovy; urgency=medium
* Build-depend on pyflakes3, not obsolete pyflakes.
-- Steve Langasek <email address hidden> Wed, 20 May 2020 08:18:11 -0700
-
apport (2.20.11-0ubuntu35) groovy; urgency=medium
* kde/apport-kde: Stop showing 'text' instead of a useful string. Thanks to
Launchpad user Niklas Sombert for the patch. (LP: #1879150)
-- Brian Murray <email address hidden> Mon, 18 May 2020 10:28:25 -0700
-
apport (2.20.11-0ubuntu34) groovy; urgency=medium
* apport_python_hook.py: if python apt modules are not built for the python
version then do capture the crash. (LP: #1774843)
-- Brian Murray <email address hidden> Wed, 13 May 2020 16:17:11 -0700
-
apport (2.20.11-0ubuntu33) groovy; urgency=medium
[ Olivier Tilloy ]
* gtk/apport-gtk: upgrade regular expression used to match URLs in free text
(LP: #1871185)
-- Brian Murray <email address hidden> Thu, 07 May 2020 14:54:20 -0700
-
apport (2.20.11-0ubuntu32) groovy; urgency=medium
* debian/apport.install: Add in a source package hook for linux-meta-raspi
which provides linux-raspi and linux-raspi2. (LP: #1876952)
-- Brian Murray <email address hidden> Tue, 05 May 2020 09:29:28 -0700
-
apport (2.20.11-0ubuntu31) groovy; urgency=medium
* data/general-hooks/ubuntu.py: collect ImageMediaBuild information which
exists on preinstalled RPi images. (LP: #1876945)
-- Brian Murray <email address hidden> Tue, 05 May 2020 08:37:39 -0700
-
apport (2.20.11-0ubuntu30) groovy; urgency=medium
* Add in a source package hook symlink for linux-firmware. (LP: #1872059)
-- Brian Murray <email address hidden> Tue, 05 May 2020 08:11:39 -0700
-
apport (2.20.11-0ubuntu29) groovy; urgency=medium
* debian/apport.install: remove linux 5.4 versioned package hooks.
* debian/apport.install: add linux-raspi, linux-raspi2 package hooks.
* etc/apport/crashdb.conf: Enable Launchpad crash reports for 20.10
release.
-- Brian Murray <email address hidden> Mon, 04 May 2020 16:25:15 -0700
-
apport (2.20.11-0ubuntu28) groovy; urgency=medium
* Point Vcs-Bzr to groovy branch
* debian/tests/control: Depend on python3-twisted, not python-twisted-core
-- Julian Andres Klode <email address hidden> Sun, 26 Apr 2020 14:02:39 +0200
-
apport (2.20.11-0ubuntu27) focal; urgency=medium
* backends/packaging-apt-dpkg.py, apport/sandboxutils.py: Add modifications
to the retracing process to resolve failures to retrace due to user merge
changes.
* etc/apport/crashdb.conf: Disable Launchpad crash reports for 20.04
release.
-- Brian Murray <email address hidden> Wed, 15 Apr 2020 17:01:49 -0700
