[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1011651: marked as done (RFS: logrotate/3.18.0-2+deb11u1 -- Log rotation utility)

Your message dated Thu, 26 May 2022 01:45:40 +0200
with message-id <Yo6/pCFKwq1kia3B@angband.pl>
and subject line Re: Bug#1011651: RFS: logrotate/3.18.0-2+deb11u1 -- Log rotation utility
has caused the Debian Bug report #1011651,
regarding RFS: logrotate/3.18.0-2+deb11u1 -- Log rotation utility
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1011651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011651
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: sponsorship-requests
Severity: important
X-Debbugs-CC: team@security.debian.org


Dear mentors,

I am looking for a sponsor for my package "logrotate":

 * Package name    : logrotate
   Version         : 3.18.0-2+deb11u1
   Upstream Author : https://github.com/logrotate/logrotate/issues
 * URL             : https://github.com/logrotate/logrotate
 * License         : GPL-2, GPL-3+, BSD-3-Clause
 * Vcs             : https://salsa.debian.org/debian/logrotate
   Section         : admin

The source builds the following binary packages:

  logrotate - Log rotation utility

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/logrotate/

Alternatively, you can download the package with 'dget' using this command:

  dget -x https://mentors.debian.net/debian/pool/main/l/logrotate/logrotate_3.18.0-2+deb11u1.dsc

Changes since the last upload:

 logrotate (3.18.0-2+deb11u1) stable; urgency=medium
 .
   * d/patches: cherry-pick upstream fixes:
     - skip locking if state file is world-readable (CVE-2022-1348)
 .
     - more strict configuration parsing to avoid parsing
       parts of foreign files, e.g. core dumps, (see #1002022)
 .
     - do not use incorrect stat information when verifying an olddir
       configuration after creating the olddir
 .
     - advance pointer in full_write on incomplete write to avoid data
       corruption

See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004580
and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011644

Regards,
       Christian Göttsche

--- End Message ---
--- Begin Message --- 
On Thu, May 26, 2022 at 12:50:30AM +0200, Christian Göttsche wrote:
>    Version         : 3.18.0-2+deb11u1
>    Upstream Author : https://github.com/logrotate/logrotate/issues

>  logrotate (3.18.0-2+deb11u1) stable; urgency=medium
>  .
>    * d/patches: cherry-pick upstream fixes:
>      - skip locking if state file is world-readable (CVE-2022-1348)
>  .
>      - more strict configuration parsing to avoid parsing
>        parts of foreign files, e.g. core dumps, (see #1002022)
>  .
>      - do not use incorrect stat information when verifying an olddir
>        configuration after creating the olddir
>  .
>      - advance pointer in full_write on incomplete write to avoid data
>        corruption

You need to target "bullseye" not "stable", as the latter keeps changing.
I've amended this and uploaded.

> See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004580
> and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011644


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ If you ponder doing what Jesus did, remember than flipping tables
⢿⡄⠘⠷⠚⠋⠀ and chasing people with a whip is a prime choice.
⠈⠳⣄⠀⠀⠀⠀

--- End Message ---
Reply to: