vcswatch reports that
this package seems to have new commits in its VCS but has
not yet updated debian/changelog. You should consider updating
the Debian changelog and uploading this new version into the archive.
Here are the relevant commit logs:
commit 4c20fd71d647ea8289daa4e117f8d48a03b366bc
Merge: 485bdc89 489e6ba7
Author: Julian Andres Klode <jak@debian.org>
Date: Fri Jul 3 15:51:43 2026 +0000
Merge branch 'fix/hashes-openssl-disabled-digest-crash' into 'main'
hashes: don't crash on an unavailable digest
See merge request apt-team/apt!589
commit 489e6ba733a923a2e4d79a20e9e886f4cac046f4
Author: Mark Atwood <mark@reviewcommit.com>
Date: Wed Jul 1 13:44:46 2026 -0700
test: exercise hashes with a disabled digest
Add an integration test for the previous commit. Under a null-provider
OpenSSL config that makes MD5 unavailable, apt-ftparchive's Description-md5
path (Hashes::GetHashString(Hashes::MD5SUM)) must not emit an uninitialised
/garbage digest. A positive control first asserts the field IS produced when
MD5 is available, so the trigger has teeth; the test skips gracefully on
OpenSSL < 3.0 or where the null provider cannot disable MD5.
commit d714c12f40a7e3c5e0593325219a9fe6c430d8d0
Author: Mark Atwood <mark@reviewcommit.com>
Date: Wed Jul 1 12:30:06 2026 -0700
hashes: don't crash on an unavailable digest
Since the switch to OpenSSL (90270f095), PrivateHashes::Enable() can fail
(e.g. MD5 is unavailable under an OpenSSL FIPS provider), leaving the
EVP_MD_CTX for that algorithm as a nullptr. The return value is not checked
at the constructor call sites, so callers that later request that specific
digest hit undefined behaviour:
* HexDigest() calls EVP_MD_CTX_copy(tmp, contexts[index]) with a nullptr
source. On OpenSSL builds where the copy dereferences the source this
SIGSEGVs; on OpenSSL 3.0.13 the copy returns an error, EVP_DigestFinal_ex
leaves the buffer uninitialised, and HexDigest returns a garbage digest
(exit 0, bytes vary run-to-run).
* GetHashString() calls HexDigest() with no IsEnabled() guard, so an
explicitly requested-but-disabled digest reaches the UB above.
Reachable from HashString::GetHashForFile()/VerifyFile()/FromFile() when the
requested type is "MD5Sum", and from apt-cdrom identification (cdromutl.cc),
which hardcodes MD5. The normal update/download path is unaffected:
GetHashStringList() already guards each emit with IsEnabled() and verifies
with the strongest available hash.
Guard HexDigest() against a null context and skip a disabled digest in
GetHashString(), returning an empty HashString. Callers already treat an
empty/mismatching hash as a verification failure, so a disabled digest now
fails cleanly; a present strong hash still verifies unchanged.
This is the OpenSSL-provider analogue of the libgcrypt-era fix in !295
(Debian #1014517), which no longer applies after gcrypt was removed.
commit 485bdc895761f1225fae33c8acb2571e884a3863
Merge: a1c76a66 a13b5091
Author: Julian Andres Klode <jak@debian.org>
Date: Fri Jul 3 13:30:41 2026 +0000
Merge branch 'fix/hashes-include-span' into 'main'
hashes: include <span> for std::span
See merge request apt-team/apt!588
commit a13b5091addd4f065b426297686c861bffc7527a
Author: Mark Atwood <mark@reviewcommit.com>
Date: Wed Jul 1 12:30:31 2026 -0700
hashes: include <span> for std::span
HexDigest() uses std::span (apt-pkg/contrib/hashes.cc:299,369) but relies on
<span> being pulled in transitively by another header. That works on some
libstdc++ versions but fails to build on others (observed with g++-13.3 on
Ubuntu 24.04: std::span undeclared). Include <span> directly.
commit a1c76a66b65339b6764b4f94539cdb0fdecda309
Author: David Kalnischkies <david@kalnischkies.de>
Date: Wed Jun 10 12:41:54 2026 +0000
Unfuzzy the ::host vs host:: doc-only example change
No need to annoy the translators with this change if we can
do the flip for them and hide it as the pot wasn't regenerated
so far (as the change was not part of a release yet).
Gbp-Dch: Ignore
Fixes: 080f2c092795382fe77591f8a41e19172ebead26
commit 02672754102134790e90ba491b1d89529742ec09
Author: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>
Date: Wed Jun 10 09:03:36 2026 +0000
Romanian program translation update
Closes: #1139336
commit 62853bbb16ca032fcaa0920f8af14549d1cc1ca8
Author: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Date: Wed Jun 10 09:02:44 2026 +0000
Dutch manpages translation update
Closes: #1135222
commit f4733601e483ecdc166778be84a509dcdb5806dc
Author: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Date: Wed Jun 10 09:02:12 2026 +0000
Dutch program translation update
Closes: #1135221
commit 8abecb6ff22c2ae4036d0c4db6bfe801a3b314fb
Author: Américo Monteiro <a_monteiro@gmx.com>
Date: Wed Jun 10 09:01:28 2026 +0000
Portuguese manpages translation update
Closes: #1133965
commit 49e91b96d9faeca50ab0b212174744938d446132
Author: David Kalnischkies <david@kalnischkies.de>
Date: Thu Feb 5 21:18:40 2026 +0000
aptwebserver: Refuse client immediately on TLS handshake
We implement a HTTP-only server here (that is wrapped by stunnel for
HTTPS support), so if a TLS handshake reaches us it is always wrong
and we can just close the connection immediately instead of accepting
it and letting the client run into a timeout as we will never receive
the message(s) we expect.
This happens e.g. with browsers like Firefox that opportunistically
try https first (even if you ask for http and specify a port).
commit 5b49a25a292dd3ed2355fadaca68753a72eb2422
Merge: cae6d486 080f2c09
Author: Julian Andres Klode <jak@debian.org>
Date: Thu May 21 09:06:52 2026 +0000
Merge branch 'https' into 'main'
apt-transport-https(1): document host-specific SSLCert, SSLKey, Verify-Host with host:: instead of ::host
See merge request apt-team/apt!579
commit 080f2c092795382fe77591f8a41e19172ebead26
Author: наб <nabijaczleweli@nabijaczleweli.xyz>
Date: Wed May 13 21:35:36 2026 +0200
apt-transport-https(1): document host-specific SSLCert, SSLKey, Verify-Host with host:: instead of ::host
Empirically, SSLCert and SSLKey need to be specified in the reverse order,
and only
Acquire::https::deb.beaverlabs.net {
SSLCert ".../cert.pem";
SSLKey ".../pkey.pem";
};
, not the documented order, works
Sponsored-by: https://beaverlabs.net
commit cae6d486b4294a0ba0a4694171380737c3818aac
Author: Julian Andres Klode <jak@debian.org>
Date: Wed May 20 19:42:18 2026 +0200
Document and test combined `build-dep --arch-only --indep-only`
This is a supported configuration to only use bare Build-Depends
and Build-Conflicts.