This bug was fixed in the package apt - 2.8.3
---------------
apt (2.8.3) noble; urgency=medium
* Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126)
- Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment"
- Revert "Only warn about <rsa2048 when upgrading from 2.7.x to 2.8.x"
- Revert rsa1024 to warnings again
This leaves the mechanisms in place and no longer warns about NIST curves.
* Fix keeping back removals of obsolete packages; and return an error if
ResolveByKeep() is unsuccessful (LP: #2078720)
* Fix buffer overflow, stack overflow, exponential complexity in
apt-ftparchive Contents generation (LP: #2083697)
- ftparchive: Mystrdup: Add safety check and bump buffer size
- ftparchive: contents: Avoid exponential complexity and overflows
- test framework: Improve valgrind support
- test: Check that apt-ftparchive handles deep paths
- Workaround valgrind "invalid read" in ExtractTar::Go by moving large
buffer from stack to heap. The large buffer triggered some bugs in
valgrind stack clash protection handling.
apt (2.8.2) noble; urgency=medium
* Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment
(follow-up for LP: #2073126)
apt (2.8.1) noble; urgency=medium
* Only revoke weak RSA keys for now, add 'next' and 'future' levels
(backported from 2.9.7)
Note that the changes to warn about keys not matching the future level
in the --audit level are not fully included, as the --audit feature
has not yet been backported. (LP: #2073126)
* Introduce further mitigation on upgrades from 2.7.x to allow these
systems to continue using rsa1024 repositories with warnings
until the 24.04.2 point release (LP: #2073126)
apt (2.8.0) noble; urgency=medium
[ Julian Andres Klode ]
* Revert "Temporarily downgrade key assertions to "soon worthless""
We temporarily downgraded the errors to warnings to give the
launchpad PPAs time to be fixed, but warnings are not safe:
Untrusted keys could be hiding on your system, but just not
used at the moment. Hence revert this so we get the errors we
want. (LP: #2060721)
* Branch off the stable 2.8.y branch for noble:
- CI: Test in ubuntu:noble images for 2.8.y
- debian/gbp.conf: Point at the 2.8.y branch
[ David Kalnischkies ]
* Test suite fixes:
- Avoid subshell hiding failure report from testfilestats
- Ignore umask of leftover diff_Index in failed pdiff test
* Documentation translation fixes:
- Fix and unfuzzy previous VCG/Graphviz URI change
-- Julian Andres Klode <[email protected]> Tue, 22 Oct 2024 15:02:22
+0200
** Changed in: apt (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060721
Title:
APT 2.8.4+: Promote weak key warnings to errors
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2060721/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
