| 1,21 → 1,3 |
|---|
| libtar (1.2.20-2) unstable; urgency=low |
| |
| * no_static_buffers.patch: avoid using a static buffer in |
| th_get_pathname(). Taken from upstream. Needed for no_maxpathlen.patch. |
| * maxpathlen.patch: Fix FTBFS on Hurd by dynamically allocating path |
| names (Closes: #657116). Thanks to Svante Signell and Petter |
| Reinholdtsen. |
| * [SECURITY] CVE-2013-4420.patch: Strip out leading slashes and any |
| pathname prefix containing ".." components (Closes: #731860). This is |
| done in th_get_pathname() (as well as to symlink targets when |
| extracting symlinks), not merely when extracting files, which means |
| applications calling that function will not see the stored |
| filename. There is no way to disable this behaviour, but it can be |
| expected that one will be provided when the issue is solved upstream. |
| * Bump Standards-Version to 3.9.5. |
| |
| -- Magnus Holmgren <holmgren@debian.org> Sat, 15 Feb 2014 21:49:37 +0100 |
| |
| libtar (1.2.20-1) unstable; urgency=high |
| |
| * [SECURITY] New upstream release. Fixes CVE-2013-4397: Integer |