[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please unblock schroot 1.4.16-1

Hi,

I've made a new upload of schroot to unstable which fixes a few
security- and upgrade-related bugs.  The bulk of the changes are
documentation (manual pages, release notes and changelogs). The
code changes are tiny, but are important to have to upgrade from
lenny cleanly and fully document security issues and program
behaviour.

Please could you consider unblocking for squeeze?


Thanks,
Roger


#601043, #605939: Upgrade failure when upgrading from lenny.  The
         restrictions on valid filenames were make much stricter
         in 1.4.0 (later than Lenny), meaning many configurations
         are broken when upgrading.  After auditing all validation
         and usage paths in the code, I've relaxed the naming
         restrictions such that it remains secure, but allows
         most names which were valid in lenny.  There's a complete
         rationale for the naming restrictions in schroot.conf(5).
#605950  This is a regression which results in mount options in the
         configuration file being ignored.  They are now correctly
         preserved.
#606162  This is a performance regression which caused schroot to
         run extremely poorly on large heavily loaded systems; this
         speeds up session cleanup by orders of magnitude by using
         shell builtins rather than invoking readlink once per
         running process on the system
#587758  Documentation of security issues relating to configuration
#599380  Documentation update (non-essential)


schroot (1.4.16-1) unstable; urgency=low

  * New upstream stable release.
  * Document schroot -- option delimiter in schroot(1)
    (Closes: #599380).
  * Document security implications of bind-mounting /dev and other
    filesystems in schroot.conf(5) (Closes: #587758).
  * Relax chroot naming restrictions (Closes: #601043, #605939).  The
    name may not contain a leading period (‘.’).  The  characters ‘:’
    (colon), ‘,’ (comma) and ‘/’ (forward slash) are not permitted
    anywhere in the name.  The name may also not contain a trailing
    tilde ('~').  Otherwise any characters are permitted.
  * 10mount: Respect mount options from configuration for all mountable
    chroot types (Closes: #605950).  Thanks to Nelson Elhage for this
    patch.
  * 15killprocs: Improve performance by omitting a readlink call for
    each process running on the system, leading to a significant
    reduction in overhead on busy systems (Closes: #606162).  Thanks
    to Anders Kaseorg for this patch.

 -- Roger Leigh <rleigh@debian.org>  Tue, 07 Dec 2010 12:29:25 +0000


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to: