[devscripts] annotated tag v2.13.9 created (now ff24d5f)

James McCoy jamessan at debian.org
Mon Dec 23 20:46:21 UTC 2013 

This is an automated email from the git hooks/post-receive script.

jamessan pushed a change to annotated tag v2.13.9
in repository devscripts.

        at  ff24d5f   (tag)
   tagging  3025603d7532a5712e7e0278c93fa71dd6d8301f (commit)
  replaces  v2.13.8
 tagged by  James McCoy
        on  Mon Dec 23 15:43:14 2013 -0500

- Log -----------------------------------------------------------------
tagging package devscripts version 2.13.9

Format: 1.8
Date: Mon, 23 Dec 2013 15:28:45 -0500
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.13.9
Distribution: unstable
Urgency: low
Maintainer: Devscripts Devel Team <devscripts-devel at lists.alioth.debian.org>
Changed-By: James McCoy <jamessan at debian.org>
Description:
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 732006 732807
Changes:
 devscripts (2.13.9) unstable; urgency=low
 .
   [ Martin Pitt ]
   * autopkgtest: Add "allow-stderr" restriction to avoid failing tests because
     of the HTTP server log on stderr.
 .
   [ James McCoy ]
   * uscan:
     + Repack the tarball and verify it is a compressed archive without
       allowing arbitrary code execution.  Fixes CVE-2013-6888.
     + Use find's -exec to call rm directly instead of piping to xargs.
       (Closes: #732006, CVE-2013-7085)
     + Follow tar's recommended security practices
       - Use --keep-old-files --no-overwrite-dir
       - Ensure parent directory of directory used for repacking archive isn't
         accessible to other users.
     + Fix handling of 'dirname' exclusions, so 'dirname/*' isn't required.
 .
   [ Salvatore Bonaccorso ]
   * uscan: Fix unitialized value warning when copyright is not in
     copyright-format 1.0.  (Closes: #732807)
Checksums-Sha1:
 ddf1563312c51c4f26ee839d9e727ad26d2f4fba 1237 devscripts_2.13.9.dsc
 3441585a591f4075f7b8d7aa8bf73a88697bdd6c 578684 devscripts_2.13.9.tar.xz
 d1527931206b5be9e5ebdea815457d9e2dd120c0 863220 devscripts_2.13.9_amd64.deb
Checksums-Sha256:
 9010f1132409555996a00d1530413837be0d24b3d98f9736d6bb532a34485c08 1237 devscripts_2.13.9.dsc
 78e63e02ecd204ca8157693dc5969eddaf1312d26b572f5dd6ab646ef674c916 578684 devscripts_2.13.9.tar.xz
 a56ebd01870f9125fe2e2b9dcd5fef089c1569e680e7c193f6a81ec568c55726 863220 devscripts_2.13.9_amd64.deb
Files:
 c8d9bd08252ace0274745c2dcb733a45 1237 devel optional devscripts_2.13.9.dsc
 a55e715d41cd45c465fa937683e8e5dd 578684 devel optional devscripts_2.13.9.tar.xz
 c46e70249eade032df77eb259b6161b9 863220 devel optional devscripts_2.13.9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAABCgAGBQJSuKCRAAoJEN/mka4zG6PbRawP/iatk2u6lWHpTKv78hLP8I5L
CVlQQ2v1paTVCoMEH5CivRQW1GEajgde6sS9iT09n4OcjpLmD6K+G6ia720HLD1D
63hNJp0ngYr5+x4PWbwcxl2ZFqErOBL9VMyxQ3Gt3kmaiIeXlDi4lDPnxQMUatue
iJOi9iXgKR3c0cgi/Yr7DhJkCVxTamf+lmlzZMOsncR5j0ksXcIntQ36DdxOhe7i
GGx3iJ+7vr1lT+KYHfGtYM5t9cyX+Xb0yphDqyOV3Nzq5RtyBc8fcafHRjPIEGwR
eUzBmftrwlVnV8Z4G122Any1gLavTSyeLJYeQulp++Dr4G9iF/i0A+dWOCR9TYh/
6MBDhdUAe8b6TcCyLw5iAkEi+npUeTb97hn2YwAGlOepPjwuBaVeutj1ZHNuCtOc
StxZJ8yh1nEBQ+FzXtEBmSeU8kXKPqzXjQaxXd40sqo7tXooKLmn6uSVymDfQP2f
SjzQLDBgaA0R9UKXNHDvQXxWTpEQHJsY2tPTfBwdrNuSJTJk/yqKLdmkxCkvsDav
WoICgrkHoNnvmKAtFeRS8cM5qOOVSVk42fiwzHTUtlgEhsq9cB4QvNz++TmdRWJi
FsIMsv/UjYtWTuU0s3fi0QY0BQCqkOF2DfxlONFqRQstYb0D8l/7MhhuGa1qqfim
R++GtfeAF6YUFcWC+cCi
=ZNef
-----END PGP SIGNATURE-----

James McCoy (8):
      Add test for code execution when cleaning up "dirty" tarball
      uscan: Have find invoke rm directly instead of piping to xargs
      uscan: Fix code execution vulnerabilities with --repack
      Document uscan security fixes, CVE-2013-6888 and CVE-2013-7085
      uscan: Follow tar's recommended security practices
      uscan: Avoid using an untrusted directory name in the shell
      uscan: Fix handling of 'dirname' exclusions, so 'dirname/*' isn't required.
      releasing devscripts 2.13.9

Martin Pitt (1):
      autopkgtest: Add "allow-stderr" restriction to avoid failing tests because of the HTTP server log on stderr.

Salvatore Bonaccorso (1):
      Fix unitialized value warning when copyright is not in copyright-format 1.0

-----------------------------------------------------------------------

This annotated tag includes the following new commits:

       new  89d0888   Add test for code execution when cleaning up "dirty" tarball
       new  4219a8e   uscan: Have find invoke rm directly instead of piping to xargs
       new  02c6850   uscan: Fix code execution vulnerabilities with --repack
       new  2810d99   Document uscan security fixes, CVE-2013-6888 and CVE-2013-7085
       new  4b7e58e   uscan: Follow tar's recommended security practices
       new  b815aa4   uscan: Avoid using an untrusted directory name in the shell
       new  e83f4ca   uscan: Fix handling of 'dirname' exclusions, so 'dirname/*' isn't required.
       new  1c8895c   Fix unitialized value warning when copyright is not in copyright-format 1.0
       new  3025603   releasing devscripts 2.13.9

The 9 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list