Package "python-apport"
Name: |
python-apport
|
Description: |
Python library for Apport crash report handling
|
Latest version: |
2.20.1-0ubuntu2.30 |
Release: |
xenial (16.04) |
Level: |
updates |
Repository: |
main |
Head package: |
apport |
Homepage: |
https://wiki.ubuntu.com/Apport |
Links
Download "python-apport"
Other versions of "python-apport" in Xenial
Changelog
apport (2.20.1-0ubuntu2.24) xenial-security; urgency=medium
* SECURITY UPDATE: information disclosure issue (LP: #1885633)
- data/apport: also drop gid when checking if user session is closing.
- CVE-2020-11936
* SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
- apport/report.py: don't crash on malformed mtime values.
- CVE-2020-15701
* SECURITY UPDATE: TOCTOU in core file location
- data/apport: make sure the process hasn't been replaced after Apport
has started.
- CVE-2020-15702
* apport/ui.py, test/test_ui.py: make sure a PID is specified when using
--hanging (LP: #1876659)
-- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 09:08:40 -0400
|
Source diff to previous version |
|
apport (2.20.1-0ubuntu2.23) xenial-security; urgency=medium
* SECURITY UPDATE: World writable root owned lock file created in user
controllable location (LP: #1862348)
- data/apport: Change location of lock file to be directly under
/var/run so that regular users can not directly access it or perform
symlink attacks.
- CVE-2020-8831
* SECURITY UPDATE: Race condition between report creation and ownership
(LP: #1862933)
- data/apport: When setting owner of report file use a file-descriptor
to the report file instead of its path name to ensure that users can
not cause Apport to change the ownership of other files via a
symlink attack.
- CVE-2020-8833
-- Alex Murray <email address hidden> Wed, 25 Mar 2020 11:50:41 +1030
|
Source diff to previous version |
|
apport (2.20.1-0ubuntu2.22) xenial-security; urgency=medium
[ Michael Hudson-Doyle ]
* SECURITY REGRESSION: fix autopkgtest failures since recent security
update (LP: #1854237)
- Fix regression in creating report for crashing setuid process by getting
kernel to tell us the executable path rather than reading
/proc/[pid]/exe.
- Fix deletion of partially written core files.
- Fix test_get_logind_session to use new API.
- Restore add_proc_info raising ValueError for a dead process.
- Delete test_lock_symlink, no longer applicable now that the lock is
created in a directory only root can write to.
[ Tiago Stürmer Daitx ]
* SECURITY REGRESSION: 'module' object has no attribute 'O_PATH'
(LP: #1851806)
- apport/report.py, apport/ui.py: use file descriptors for /proc/pid
directory access only when running under python 3; prevent reading /proc
maps under python 2 as it does not provide a secure way to do so; use
io.open for better compatibility between python 2 and 3.
* data/apport: fix number of arguments passed through socks into a container.
* test/test_report.py: test login session with both pid and proc_pid_fd.
* test/test_apport_valgrind.py: skip test_sandbox_cache_options if system
has little memory.
* test/test_ui.py: modify run_crash_kernel test to account for the fact that
linux-image-$kvers-$flavor is now built from the linux-signed source
package on amd64 and ppc64el. (LP: #1766740)
-- Tiago Stürmer Daitx <email address hidden> Thu, 27 Feb 2020 03:18:45 +0000
|
Source diff to previous version |
1854237 |
autopkgtests fail after security fixes |
1851806 |
'module' object has no attribute 'O_PATH' |
1766740 |
apport autopkgtest regression due to kernel packaging changes |
|
apport (2.20.1-0ubuntu2.21) xenial-security; urgency=medium
* SECURITY REGRESSION: missing argument in Report.add_proc_environ
call (LP: #1850929)
- apport/report.py: call add_proc_environ using named arguments
and move proc_pid_dir keyword to last to keep api compatibility.
-- Tiago Stürmer Daitx <email address hidden> Tue, 05 Nov 2019 02:49:27 +0000
|
Source diff to previous version |
1850929 |
python3-apport regression: missing argument in Report.add_proc_environ call |
|
apport (2.20.1-0ubuntu2.20) xenial-security; urgency=medium
* SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
is a symlink (LP: #1830862)
- apport/fileutils.py: drop permissions before reading user settings file.
- CVE-2019-11481
* SECURITY UPDATE: TOCTTOU race conditions and following symbolic
links when creating a core file (LP: #1839413)
- data/apport: use file descriptor to reference to cwd instead
of strings.
- CVE-2019-11482
* SECURITY UPDATE: fully user controllable lock file due to lock file
being located in world-writable directory (LP: #1839415)
- data/apport: create and use lock file from /var/lock/apport.
- CVE-2019-11485
* SECURITY UPDATE: per-process user controllable Apport socket file
(LP: #1839420)
- data/apport: forward crashes only under a valid uid and gid,
thanks Stéphane Graber for the patch.
- CVE-2019-11483
* SECURITY UPDATE: PID recycling enables an unprivileged user to
generate and read a crash report for a privileged process (LP: #1839795)
- data/apport: drop permissions before adding proc info (special thanks
to Kevin Backhouse for the patch)
- data/apport, apport/report.py, apport/ui.py: only access or open
/proc/[pid] through a file descriptor for that directory.
- CVE-2019-15790
-- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000
|
|
About
-
Send Feedback to @ubuntu_updates