-
gvfs (1.42.1-1ubuntu1) eoan; urgency=medium
* Update to the current stable version by rebasing on Debian
- Revert upstream changes to port to fuse 3. This is in universe in
Ubuntu and we'll need to work out how to move over.
-- Sebastien Bacher <email address hidden> Tue, 08 Oct 2019 17:06:01 +0200
-
gvfs (1.42.0-1ubuntu1) eoan; urgency=medium
* Revert upstream changes to port to fuse 3. This is in universe in Ubuntu
and we'll need to work out how to move over.
-- Sebastien Bacher <email address hidden> Tue, 10 Sep 2019 21:03:10 +0200
-
gvfs (1.41.91-1ubuntu2) eoan; urgency=medium
* No-change upload with strops.h and sys/strops.h removed in glibc.
-- Matthias Klose <email address hidden> Thu, 05 Sep 2019 13:38:45 +0200
-
gvfs (1.41.91-1ubuntu1) eoan; urgency=medium
* Revert upstream changes to port to fuse 3. This is in universe in Ubuntu
and we'll need to work out how to move over.
gvfs (1.41.91-1) experimental; urgency=medium
[ Simon McVittie ]
* Add bug number and CVE ID to previous changelog entry
[ Iain Lane ]
* debian/watch: Find unstable versions
* New upstream release
+ admin: Add query_info_on_read/write functionality (CVE-2019-12448)
+ admin: Allow changing file owner (CVE-2019-12447)
+ admin: Ensure correct ownership when moving to file:// uri
(CVE-2019-12449)
+ admin: Prevent core dumps when daemon is manually started
+ admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
+ afc: Remove assumptions about length of device UUID to support new
devices
+ afp: Fix afp backend crash when no username supplied
+ build: Add dependency on gsettings-desktop-schemas
+ build: Bump required meson version to 0.50.0
+ build: Define gvfs_rpath for libgvfsdaemon.so
+ build: Several meson improvements
+ daemon: Check that the connecting client is the same user
(CVE-2019-12795)
+ daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
+ daemon/udisks2: Handle lockdown option to disable writing
+ daemon: Unify some translatable strings
+ fuse: Adapt gvfsd-fuse to use fuse 3.x
+ fuse: Define RENAME_* macros when they are not defined
+ fuse: Remove max_write limit
+ gmountsource: Fix deadlocks in synchronous API
+ google: Check ownership in is_owner() without additional HTTP request
+ google: Disable deletion of non-empty directories
+ google: Do not enumerate volatile entries if title matches id
+ google: Fix crashes when deleting if the file isn't found
+ google: Fix issue with stale entries remaining after rename operation
+ google: Support deleting shared Google Drive files
+ proxy: Don't leak a GVfsDBusDaemon
+ udisks2: Change display name for crypto_unknown devices
* debian/patches: Drop backported patches. We're further ahead now.
gvfs (1.40.1-3) experimental; urgency=medium
* Team upload
* d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
Add missing authentication, preventing a local attacker from connecting
to an abstract socket address learned from netstat(8) and issuing
arbitrary D-Bus method calls
(Closes: #930376, CVE-2019-12795)
* d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
Harden private D-Bus connection by rejecting the more complicated
DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL
gvfs (1.40.1-2) experimental; urgency=medium
* Team upload
* Update from upstream gnome-3-32 branch, commit 1.40.1-9-gec939a01,
to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
- Fix deadlocks in synchronous API
- Various fixes for afc backend
- Update translation: zh_CN
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
-- Iain Lane <email address hidden> Wed, 21 Aug 2019 12:33:35 +0100
-
gvfs (1.40.1-1ubuntu1) eoan; urgency=medium
* SECURITY UPDATE: file ownership mishandling
- debian/patches/CVE-2019-12447-1.patch: allow changing file owner in
daemon/gvfsbackendadmin.c.
- debian/patches/CVE-2019-12447-2.patch: use fsuid to ensure correct
file ownership in daemon/gvfsbackendadmin.c.
- CVE-2019-12447
* SECURITY UPDATE: race conditions in admin backend
- debian/patches/CVE-2019-12448.patch: add query_info_on_read/write
functionality in daemon/gvfsbackendadmin.c.
- CVE-2019-12448
* SECURITY UPDATE: user and group ownership mishandling during move
- debian/patches/CVE-2019-12449.patch: ensure correct ownership when
moving to file:// uri in daemon/gvfsbackendadmin.c.
- CVE-2019-12449
* SECURITY UPDATE: incorrect D-Bus server socket restrictions
- debian/patches/CVE-2019-12795-1.patch: check that the connecting
client is the same user in daemon/gvfsdaemon.c.
- debian/patches/CVE-2019-12795-2.patch: only accept EXTERNAL
authentication in daemon/gvfsdaemon.c.
- CVE-2019-12795
-- Marc Deslauriers <email address hidden> Fri, 05 Jul 2019 08:31:52 -0400
-
gvfs (1.40.1-1) experimental; urgency=medium
* New upstream release
-- Sebastien Bacher <email address hidden> Tue, 09 Apr 2019 16:10:24 +0200
