Package: dpkg Version: 1.21.0 Severity: serious The dpkg-fsys-usrunmess program installs a dpkg-fsys-usrunmess package which maliciously abuses the Protected and Conflicts/Replaces/Provides fields to prevent installing again the usrmerge package:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit?id=abd3a064ef8a9004e7ff2c9e5841e507487130ac This is dpkg's own changelog about the Protected field: This field is intended to make it possible to move several of the current packages marked as Essential, so that they can be removed on installations where these do not make sense being installed. Protected packages have some of the properties of Essential, but not all. These are intended to be used mostly for packages that are involved in booting the system. Which is clearly not what is happening here. -- ciao, Marco
signature.asc
Description: PGP signature