-
lintian (2.5.50.1ubuntu0.1) zesty-security; urgency=medium
* SECURITY UPDATE: code execution via YAML parsing
- checks/upstream-metadata.pm: disable YAML parser.
- t/tests/upstream-metadata-invalid-yml/skip: skip test.
- 0a2f38ecbc70d34a4b77c93a030555b310bd34ff
- CVE-2017-8829
-- Marc Deslauriers <email address hidden> Mon, 05 Jun 2017 14:30:51 -0400
-
lintian (2.5.50.1) unstable; urgency=medium
* debian/copyright:
+ [EB] Add Edward Betts.
* data/spelling/corrections:
+ [NT] Apply patches from Edward Betts to fix bugs in the correction
word lists. (Closes: #852005, #852084)
+ [NT] Apply patch from Edward Betts to remove corrections for
"targetted" and "targetting" as they are valid alternative
spellings in AU. (Closes: #852145)
* t/runtests:
+ [NT] Re-sort test output after running the "post_test" sed script
on the output. This prevent test failures caused by the order
changing on different architectures prior to the sed script is run
(assuming the sed script otherwise normalises the differences
correctly).
* t/tests/cruft-general-upstream/pre_upstream:
+ [EB] Fix failing tests by making the fake flash object more
convincing. The most recent version of libmagic uses a more precise
definition of the data within a flash file. (Closes: #852891)
* vendors/ubuntu/main/data/changes-file/known-dists:
+ [CW] Add zesty.
-- Niels Thykier <email address hidden> Sat, 04 Feb 2017 15:05:07 +0000
-
lintian (2.5.50) unstable; urgency=medium
* Summary of tag changes:
+ Added:
- invalid-value-in-built-using-field
- license-problem-convert-utf-code
- new-package-should-not-package-python2-module
- php-script-but-no-php-cli-dep
- php-script-with-unusual-interpreter
+ Removed:
- php-script-but-no-phpX-cli-dep
* checks/binaries.{desc,pm}:
+ [NT] Handle RUNPATH like we handle RPATH. (Closes: #844903)
+ [NT] Update hardening-no-pie description to reflect that
PIE is on by default in Debian.
* checks/cruft.desc:
+ [BR] Detect utf convert non free code.
(Closes: #843595)
* checks/deb-format.pm:
+ [NT] Permit uncompressed {control,data}.tar members plus xz
compressed control.tar files in deb files. Thanks to
Guillem Jover for the report. (Closes: #834867)
* checks/debhelper.pm:
+ [BR] Apply patch from Yann Soubeyrand :
"Allow debhelper "--with" addons to be quoted".
(Closes: #839822)
* checks/files.{desc,pm}:
+ [NT] Check for invalid clauses in "Built-Using" fields. Thanks to
Andrey Rahmatullin for the suggestion. (Closes: #847558)
+ [NT] Apply patch from Josh Triplett to add new sections to
descriptions.
* checks/files.desc:
+ [NT] Document that we no longer accept "virtual packages"
for deliberately empty packages. If your package receives
an "empty-binary-package" tag, please replace the use of
"virtual package".
* checks/{files,scripts}.pm:
+ [NT] Apply patch from Josh Triplett to exclude files under
/usr/share/cargo/registry/ from a few checks as that directory
contains unmodified upstream sources. (Closes: #845201)
* checks/manpages.pm:
+ [JW, NT] Fix false negative manpage-named-after-build-path
for packages built by sbuild. (Closes: #801760)
* checks/scripts.{desc,pm}:
+ [JW, NT] Apply patch from Antonio Ospite that updates the
test for php scripts without a php-cli dependency. Thanks
to Ondřej Surý for the report and Mathieu Parent for the
initial patch. (Closes: #818962)
+ [CL, NT] Warn about new source packages providing a python2
package as EOL for python2 is expected in 2020, which is
before buster's expected EOL. (Closes: #829744)
* collection/objdump-info.desc:
+ [NT] Bump version due to RUNPATH collection.
* commands/lintian:
+ [NT] Deprecate --fail-on-warnings, which will be removed in
Debian/buster.
* data/binaries/embedded-libs:
+ [BR] Allow openssl1.0 as source package. (Closes: #843406).
* data/debhelper/dh_commands-manual:
+ [NT] Apply patch from Piotr Ożarowski that ensure that
consumers of dh_python2 Build-Depends on dh-python.
(Closes: #740161)
* data/fields/archive-sections:
+ [NT] Apply patch from Josh Triplett to add javascript and
rust sections. (Closes: #847535)
* data/files/privacy-breaker-websites:
+ [BR] Detect more logos.
* data/scripts/interpreters:
+ [NT] Apply patch from Antonio Ospite to correct a false
positive warning for python scripts using python2 in the
shebang line. Thanks to Per Andersson for the report and
Luca Boccassi for the initial patch for solving this.
(Closes: #743599)
* data/spelling/corrections:
+ [PW] Add more corrections.
* data/spelling/corrections-case:
+ [EG] Correct spelling of Lua (Closes: #842781)
* helpers/coll/objdump-info-helper:
+ [NT] Extract RUNPATH from binaries as well.
* lib/Lintian/Collect/Binary.pm:
+ [NT] Expose RUNPATH when set in the binary.
+ [NT] Remove "virtual package" from the list of phrases
marking a package as a meta-package. Thanks to Stuart
Prescott for the report. (Closes: #685029)
* profiles/kali/main.profile:
+ [NT] Add a profile for Kali Linux. Thanks to Raphaël
Hertzog for the report. (Closes: #847318)
* vendors/kali/main/data/changes-file/known-dists:
+ [NT] Add data file for Kali Linux.
-- Niels Thykier <email address hidden> Mon, 26 Dec 2016 16:07:20 +0000
-
lintian (2.5.49) unstable; urgency=medium
* Summary of tag changes:
+ Added:
- homepage-for-bioconductor-package-not-canonical
* checks/debhelper.desc:
+ [CL] Drop double leading spaces in includes-maint-script-parameters
paragraph that was causing indentation when rendered on lintian.d.o.
* checks/fields.{pm,desc}:
+ [NT] Apply patch from Dylan Aïssi to tag non-canonical uses of
the bioconductor homepage in the Homepage field. (Closes: #839874)
+ [JW] Apply patch from Dylan Aïssi to tag r-other packages not in
section "gnu-r". (Closes: #841455)
* checks/init.d.pm:
+ [JW] Don't require version constraint for lsb-base dependencies.
The needed version has been available for many stable releases.
* checks/shared-libs.pm:
+ [JW] Don't complain about executable bit for ld.so shipped in
multi-arch directories.
+ [JW] Don't complain about missing SONAME for position-independent
executables. Thanks to Reuben Thomas for the bug report.
(Closes: #731987)
+ [JW] Check for PT_GNU_STACK existence on all architectures.
* checks/source-copyright.pm:
+ [RA, JW] Fix handling punctuation characters in license expressions
in machine-readable copyright files. (Closes: #841356)
* checks/watch-file.pm:
+ [JW] Assume that watch files containing the pgpmode option (different
than "none") verify upstream signature. Thanks to Robert Luberda for
the bug report. (Closes: #841000)
* data/cruft/non-distributable-files:
+ [BR] Add some rapidjson files.
* data/debhelper/compat-level:
+ [NT] Bump the deprecated debhelper compat level to match the one
in debhelper.
* data/files/privacy-breaker-tag-attr:
+ [BR] Apply patch from Frederic Bonnard detecting audio tags.
(Closes: #840009)
* data/spelling/corrections*:
+ [JW, PW] Add more corrections.
* lib/Lintian/Unpacker.pm:
+ [NT] Use the new "do_fork()" sub to ensure works do not inherit
the default signal handler, which could allow any number of workers
to promote themselves to independent "masters" - effectively
creating a fork-bomb with an ill-timed signal.
* lib/Lintian/Util.pm:
+ [NT] Add a "do_fork()" sub to ensure signal handling is
reset for child processes.
* t/tests/shared-libs-non-pic-i386/debian/Makefile:
+ [JW] Pass -fno-PIE and -fno-pie to GCC, so that the test works even
when the compiler enables PIE by default. (Closes: #841442)
-- Niels Thykier <email address hidden> Sat, 22 Oct 2016 13:42:28 +0000
-
lintian (2.5.48) unstable; urgency=low
* Summary of tag changes:
+ Added:
- file-name-contains-wildcard-character
- homepage-for-cran-package-not-canonical
- init.d-script-needs-depends-on-lsb-base
- maintscript-includes-maint-script-parameters
+ Removed:
- hardening-no-stackprotector
* checks/binaries.{desc,pm}:
+ [NT] Rewrite/embed the necessary bits from hardening-check to
implement the default hardening-no-* checks directly in lintian.
This is because hardening-check appears to be losing its
"home" with the coming removal of hardening-wrapper and
hardening-includes. (Closes: #836756)
+ [JW] Remove the hardening-no-stackprotector tag.
+ [NT] Allow "golang-any" as an alternative to "golang-go" in
Build-Depends for detecting golang binaries. Thanks to
Martín Ferrari for the report and the initial patch.
(Closes: #839228)
* checks/changelog-file.{desc,pm}:
+ [JW] Bump threshold for improbable bug number to 2000.
* checks/control-file.{desc,pm}:
+ [JW] Add references to tags related to build profiles.
+ [JW] Relax Build-Profiles syntax check to allow (almost) any
characters in profile names. Thanks to Ximin Luo for the bug report.
(Closes: #839086)
+ [JW] Add support for pkg.<srcpkg>.<anything> build profiles.
* checks/debhelper.pm:
+ [JW] Ignore comments in debian/rules.
+ [JW] Fix parsing rule targets in lines containing multiple colons.
Thanks to Andreas Beckmann for the bug report. (Closes: #838246)
+ [CL] Check for .maintscript files that include
"maint-script-parameters". (Closes: #838195)
+ [NT] Fix typo that prevented lintian from detecting uses of the
dhmk build-system.
* checks/fields.{desc,pm}:
+ [JW] Fix typo.
+ [JW] Add references to tags related to build profiles.
+ [JW] Add support for pkg.<srcpkg>.<anything> build profiles.
+ [JW] Demote tags for build-depends related to build profiles to
pedantic, as the required packages are available in stable.
Thanks to Helmut Grohne for the bug report. (Closes: #831633)
+ [NT] Apply patch from Dylan Aïssi to tag r-bioc packages not in
section "gnu-r". (Closes: #839263)
+ [NT] Apply patch from Dylan Aïssi to tag non-canonical uses of
the cran homepage in the Homepage field. (Closes: #839553)
* checks/files.{desc,pm}:
+ [CL, NT] Tag usages of shell wildcard characters in file names.
(Closes: #814326)
* checks/init.d.{desc,pm}:
+ [CL, NT]: Emit a tag for initscripts that source the
/lib/lsb/init-functions utility functions without declaring the
corresponding dependency on lsb-base (>= 3.0-6).
(Closes: #838997)
* checks/shared-libs.desc:
+ [JW] Fix typos.
* checks/testsuite.pm:
+ [JW] Apply patch from Sean Whitton to recognise autopkgtest-pkg-elpa
as a valid value for the Testsuite field. (Closes: #837801)
* collection/hardening-info:
+ [NT] Removed.
* data/fields/build-profiles:
+ [JW] Add new profiles: nogolang, nojava, noperl, nopython, noudeb.
* data/fields/obsolete-packages:
+ [NT] Apply patch from Otto Kekäläinen to assist with the transition
to the "default-mysql-*" packages. (Closes: #838603)
* data/fields/perl-provides:
+ [NT] Refresh perl provides.
* data/files/js-libraries:
+ [BR] Apply patch from Jean-Michel Vourgère to add detection of
libjs-jquery-migrate-1. (Closes: #823627)
* data/files/php-libraries:
+ [JW] Apply patch from Marcelo Jorge Vieira to update package name
for php-gettext. (Closes: #837502)
* data/spelling/corrections:
+ [JW, PW] Add more corrections.
* debian/control:
+ [NT] Drop dependencies on hardening-includes as we no longer need
hardening-check.
* debian/copyright:
+ [JW] Add Paul Wise.
+ [JW] Remove now-unneeded separate entry for spellintian.t.
+ [JW] Update copyright years.
+ [CL] Add Chris Lamb.
* helpers/coll/hardening-info-helper:
+ [NT] Removed.
* helpers/coll/objdump-info-helper:
+ [NT] Expose a few more bits from readelf needed to implement some
of the hardening checks.
* lib/Lintian/Collect/Binary.pm:
+ [NT] Expose a few more bits from readelf needed to implement some
of the hardening checks.
* profiles/debian/extra-hardening.profile:
+ [NT] Removed - we no longer support the stackprotector tag.
* profiles/debian/ftp-master-auto-reject.profile:
+ [JW] Refresh against current rule set.
* profiles/debian/main.profile:
+ [JW] Stop disabling the hardening-no-stackprotector tag.
* t/scripts/spellintian.t:
+ [JW] Relicense as GPLv2+, like the rest of Lintian.
-- Niels Thykier <email address hidden> Tue, 04 Oct 2016 19:37:17 +0000