-
fuse (2.8.1-1.1ubuntu3.1) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary unprivileged unmount
- debian/patches/CVE-2011-0541.dpatch: don't follow symlinks when
unmounting in case of a failed mtab update in util/fusermount.c.
- debian/patches/CVE-2011-0542.dpatch: chdir to / before performing
mount/umount in util/fusermount.c.
- debian/patches/CVE-2011-0543.dpatch: remove legacy util-linux
support so symlinks don't get followed upon fallback in
lib/mount_util.c, util/fusermount.c.
- CVE-2011-0541
- CVE-2011-0542
- CVE-2011-0543
-- Marc Deslauriers <email address hidden> Fri, 11 Feb 2011 13:41:20 -0500
-
fuse (2.8.1-1.1ubuntu3) lucid-proposed; urgency=low
* debian/fuse-utils.postinst:
Respect local modifications to /etc/fuse.conf by not changing the
ownership or mode of /etc/fuse.conf in the postinst file unless we're
also adding the fuse group for the first time. (LP: #697792)
-- Barry Warsaw <email address hidden> Mon, 24 Jan 2011 11:25:19 -0500
-
fuse (2.8.1-1.1ubuntu2.2) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary unprivileged unmount (LP: #670622)
- debian/patches/CVE-2010-3879.dpatch: backported numerous fuse fixes
from git tree to fix security issues.
- Use "--no-canonicalize' option of mount(8)
- Fix race if two "fusermount -u" instances are run in parallel
- Make sure the path to be unmounted doesn't refer to a symlink
- Use umount --fake to update /etc/mtab
- debian/patches/200-fix_mount_symlink_handling: removed, changes are
in the new patch.
- debian/control: make libfuse2 depend on version of mount that
contains backported --fake support.
- This package does not contain the changes from the 2.8.1-1.1ubuntu2.1
fuse package in -proposed.
- CVE-2010-3879
-- Marc Deslauriers <email address hidden> Thu, 09 Dec 2010 11:27:18 -0500
-
fuse (2.8.1-1.1ubuntu2.1) lucid-proposed; urgency=low
* Use 'mount --no-canonicalize' to avoid deadlocks if audit is enabled in
the kernel; also fix race if two 'fusermount -u' processes are run in
parallel (fixes by Miklos Szeredi, backported from upstream;
LP: #634554).
-- Colin Watson <email address hidden> Tue, 09 Nov 2010 20:32:24 +0000
-
fuse (2.8.1-1.1ubuntu2) lucid; urgency=low
* SECURITY UPDATE: local attacker can trick fuse into unmounting a
filesystem from the wrong location.
- debian/patches/200-fix_mount_symlink_handling: upstream
fixes.
- CVE-2009-3297
-- Kees Cook <email address hidden> Mon, 25 Jan 2010 17:10:52 -0800
-
fuse (2.8.1-1.1ubuntu1) lucid; urgency=low
* Merge with Debian testing (lp: #506958). Remaining changes:
- debian/control: Add Breaks to ensure right version of udev is used.
- Use udev rules instead of init script:
+ Add debian/45-fuse.rules: Put /dev/fuse into group fuse.
+ debian/fuse-utils.postinst: Try to load the fuse module only if it's
still a module, remove it from /etc/modules/ anyway.
+ debian/rules, debian/fuse-utils.install: Don't install the init
script; install the udev rule.
- initramfs support, for booting from ntfs-3g in wubi:
+ debian/fuse-utils.initramfs-hook: Copy /sbin/mount.fuse and the fuse
kernel module into the initramfs. Use manual_add_modules not
force_load; fuse will be loaded automatically if necessary (it's a
built-in in Ubuntu anyway)
+ debian/rules: Install above file into fuse-utils.
+ debian/fuse-utils.postinst: Call update-initramfs.
+ (Forwarded to Debian #505691)
- Create libfuse2-udeb and fuse-utils-udeb. (Forwarded to Debian #505697)
- debian/fuse-utils.install: Install ulockmgr_server.
- debian/{rules,libfuse2.install,fuse-utils.lintian}: Move fusermount and
ulockmgr_server to /bin and associated libraries to /lib. This allows
mounting ntfs filesystems in /etc/fstab. (Debian #452412)
- debian/{rules,fuse-utils.postinst}: Install fusermount with 4755
permissions (remaining change from "Dynamic foreground user access").
- debian/fuse-utils.postinst:
+ Don't fail if udev is running and /dev/fuse does not exist.
(Forwarded to Debian #505685)
- debian/fuse-utils.preinst:
+ Remove the module configuration file on upgrade if unmodified.
+ Remove old rules file if unchanged
fuse (2.8.1-1.1) unstable; urgency=low
* Non-maintainer upload.
* Apply patch from Petr Salinger to fix FTBFS on GNU/kFreeBSD (Closes:
#552600)
* Apply patch from Vagrant Cascadian to run MAKEDEV only if found
(Closes: #550334, #553015)
* Invoke dh_makeshlibs with an appropriately strict dependency
(Closes: #557143)
fuse (2.8.1-1) unstable; urgency=low
* New upstream version (Closes: #543176)
- fixes missing fuse_reply_bmap (Closes: #531329)
* Fixes problem with udev (Closes: #543271, #473545)
* Changed order of dependencies udev/makedev (Closes: #546867)
* Correctly uses MAKEDEV and doesn't mess with udev anymore (Closes: #534572)
* Doesn't use libulockmgr patch anymore, fixed upstream.
* Shipped with README.Source file.
fuse (2.7.4-2) unstable; urgency=low
* Ack previous NMU, thanks.
* Initscript LSB headers now depend on $remote_fs (Closes: #533028).
* Install fusermount with restricted permissions to avoid a race condition
during package installation (Closes: #502300).
* Bump Standards-Version.
* Merge Aurelien Jarno's patch to support GNU/kFreeBSD (Closes: #528537).
* Add missing pthread link for libulockmgr.
-- Michael Bienia <email address hidden> Wed, 13 Jan 2010 14:48:39 +0100
-
fuse (2.7.4-1.1ubuntu4.2) lucid; urgency=low
* debian/fuse-utils.initramfs-hook:
- use manual_add_modules not force_load; fuse will be loaded automatically
if necessary (it's a built-in in Ubuntu anyway)
-- Scott James Remnant <email address hidden> Fri, 18 Dec 2009 02:19:06 +0000
-
fuse (2.7.4-1.1ubuntu4.1) karmic-proposed; urgency=low
* debian/fuse-utils.postinst:
- do not fail if udev can not be reloaded (LP: #444979)
-- Michael Vogt <email address hidden> Wed, 28 Oct 2009 10:34:02 +0100
-
fuse (2.7.4-1.1ubuntu4) jaunty; urgency=low
* debian/fuse-utils.modprobe: Drop, we'll build this module into the kernel
and do this with the other kernel filesystems
* debian/fuse-utils.preinst: Remove on upgrade if unmodified
* debian/rules: Update
* debian/fuse-utils.install: Update
* debian/fuse-utils-udeb.install: Update
* debian/fuse-utils.postinst: Only try to load if it's still a module,
remove from /etc/modules anyway
-- Scott James Remnant <email address hidden> Thu, 05 Mar 2009 17:18:15 +0000
