Changelog
devscripts (2.11.4) unstable; urgency=high
* Urgency "high" for security fixes.
[ James McCoy ]
* bts: Revert usertags' handling of more than one +/-/=. Only the first one
is relevant.
[ Ryan Niebur ]
* dget: when finding the sources.list entry for the repository to
download a package from, match any port with the correct hostname
because apt-cache policy does not output port numbers in URLs
(Closes: #601951)
[ Adam D. Barratt ]
* debdiff:
+ Fix a regression in the handling of embedded tarballs (a side
effect of the changes introduced to resolve #571528).
+ Extend the changes from #571528 to cover more situations where
user or file input is passed to an external program. Fixes
CVE-2012-2012 (and any instance of CVE-2012-2011 not already
covered by #571528).
[ Paul Wise ]
* suspicious-source: Also ignore mercurial and darcs VCS directories
(Closes: #659966).
[ Benjamin Drung ]
* suspicious-source: Add inode/x-empty to whitelist of MIME types
(Closes: #659946).
[ Raphael Geissert ]
* debdiff:
+ Remove undocumented feature treating extensionless files as if
they were packages (Closes: #659559)
+ Add missing chdir for dpkg-source and remove extraneous quoting
of --exclude parameters.
+ Fix CVE-2012-0210 (insufficient input sanitising reading .dsc
and .changes files).
-- Adam D. Barratt <email address hidden> Wed, 15 Feb 2012 19:19:31 +0000