--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Upstream recently fixed two memory leaks in xymond, xymon's main
daemon. Without these fixes leakages of 2 GB memory per day
have been observed under production conditions.
I've just uploaded xymon/4.3.17-6 to DELAYED/15 (see
https://ftp-master.debian.org/deferred.html) with:
* two patches cherry picked from upstream to fix memory leaks
(https://bugs.debian.org/778343)
* one debconf translation update (https://bugs.debian.org/776126)
* one so far missing addition to debian/copyright
(https://bugs.debian.org/775590)
As soon as I've got your approval for the debdiff below, I'll
fast-forward the upload to unstable.
Full debdiff:
diff -Nru xymon-4.3.17/debian/changelog xymon-4.3.17/debian/changelog
--- xymon-4.3.17/debian/changelog 2015-01-22 17:37:30.000000000 +0100
+++ xymon-4.3.17/debian/changelog 2015-02-13 21:59:49.000000000 +0100
@@ -1,10 +1,24 @@
+xymon (4.3.17-6) unstable; urgency=medium
+
+ [ Axel Beckert ]
+ * Add CVE ID to the previous changelog entry.
+ * Debconf translations, thanks!
+ + ru by Yuri Kozlov (Closes: #776126)
+ * Cherry pick two patches from upstream to fix multiple memory leaks.
+ (Closes: #778343)
+
+ [ Christian Kastner ]
+ * Document license of sha?.* files in debian/copyright (Closes: #775590)
+
+ -- Axel Beckert <abe@debian.org> Fri, 13 Feb 2015 21:59:49 +0100
+
xymon (4.3.17-5) unstable; urgency=medium
[ Christoph Berg ]
* Restore the lost ROOTFS variable in xymonclient-linux.sh, and patch
xymond/rrd/do_disk.c to ignore duplicate submissions for the / partition.
(Closes: #767901)
- * Fix buffer overrun in web/acknowledge.c (Closes: #776007)
+ * Fix buffer overrun in web/acknowledge.c (Closes: #776007, CVE-2015-1430)
* Debconf translations, thanks!
+ pt by Américo Monteiro (Closes: #767840)
+ fr by Jean-Pierre Giraud (Closes: #770168)
diff -Nru xymon-4.3.17/debian/copyright xymon-4.3.17/debian/copyright
--- xymon-4.3.17/debian/copyright 2014-10-01 15:41:26.000000000 +0200
+++ xymon-4.3.17/debian/copyright 2015-02-13 15:34:20.000000000 +0100
@@ -121,6 +121,38 @@
copied and put under another distribution licence
[including the GNU Public Licence.]
+lib/sha1.c:
+ 100% Public Domain, by Steve Reid <steve@edmweb.com>, with small changes
+ by Thomas Roessler <roessler@does-not-exist.org>.
+
+lib/sha2.*
+ Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the project nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
There is a nested c-ares tarball in bbnet/:
Copyright 1998, 2000 by the Massachusetts Institute of Technology.
Copyright (C) 2004 by Daniel Stenberg et al
diff -Nru xymon-4.3.17/debian/patches/fix-xymond-memory-leak xymon-4.3.17/debian/patches/fix-xymond-memory-leak
--- xymon-4.3.17/debian/patches/fix-xymond-memory-leak 1970-01-01 01:00:00.000000000 +0100
+++ xymon-4.3.17/debian/patches/fix-xymond-memory-leak 2015-02-13 20:32:46.000000000 +0100
@@ -0,0 +1,19 @@
+Description:Fix memory leak in acknowledge handling.
+ Cherry-picked from the 4.3.18 upstream release.
+Origin: http://sourceforge.net/p/xymon/code/7488/
+Applied-Upstream: http://sourceforge.net/p/xymon/code/7488/
+Reviewed-by: Axel Beckert <abe@debian.org>
+
+Index: xymon/xymond/xymond.c
+===================================================================
+--- xymon.orig/xymond/xymond.c 2015-02-13 15:38:17.000000000 +0100
++++ xymon/xymond/xymond.c 2015-02-13 15:40:05.000000000 +0100
+@@ -2365,6 +2365,8 @@
+ if (zombie->dismsg) xfree(zombie->dismsg);
+ if (zombie->ackmsg) xfree(zombie->ackmsg);
+ if (zombie->grouplist) xfree(zombie->grouplist);
++ if (zombie->lastchange) xfree(zombie->lastchange);
++ if (zombie->testflags) xfree(zombie->testflags);
+ flush_acklist(zombie, 1);
+ xfree(zombie);
+ dbgprintf("<- free_log_t\n");
diff -Nru xymon-4.3.17/debian/patches/series xymon-4.3.17/debian/patches/series
--- xymon-4.3.17/debian/patches/series 2015-01-22 16:49:00.000000000 +0100
+++ xymon-4.3.17/debian/patches/series 2015-02-13 20:32:46.000000000 +0100
@@ -25,3 +25,5 @@
apache2.4
disk-no-duplicate-root
acknowledge-malloc
+fix-xymond-memory-leak
+set-initial-size-for-xymondlog-output
diff -Nru xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output
--- xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output 1970-01-01 01:00:00.000000000 +0100
+++ xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output 2015-02-13 20:32:46.000000000 +0100
@@ -0,0 +1,33 @@
+Description: Set an initial size for the xymondlog output
+ Cherry-picked from the 4.3.18 upstream release.
+ .
+ Original commit message: "xymond: Set an initial size for the
+ xymondlog output, to avoid realloc'ing the buffer too much. Fix a
+ valgrind complaint. JC Cleaver"
+ .
+ Despite the harmless sounding commit message, this seems to fix a
+ severe memory leak. Without this patch, valgrind reported the loss of
+ about 12 MB every five minutes on a bigger installation.
+Origin: http://sourceforge.net/p/xymon/code/7489/
+Applied-Upstream: http://sourceforge.net/p/xymon/code/7489/
+
+Index: xymon/xymond/xymond.c
+===================================================================
+--- xymon.orig/xymond/xymond.c 2015-02-13 16:50:42.000000000 +0100
++++ xymon/xymond/xymond.c 2015-02-13 17:21:42.000000000 +0100
+@@ -3679,12 +3679,13 @@
+ }
+
+ xfree(msg->buf);
+- logdata = generate_outbuf(NULL, logfields, h, log, acklevel);
++ logdata = newstrbuffer(20480);
++ logdata = generate_outbuf(&logdata, logfields, h, log, acklevel);
+ addtobuffer(logdata, msg_data(log->message, 0));
+
+ msg->doingwhat = RESPONDING;
+ msg->buflen = STRBUFLEN(logdata);
+- msg->bufp = grabstrbuffer(logdata);
++ msg->bufp = msg->buf = grabstrbuffer(logdata);
+ }
+
+ clear_filter(logfilter);
diff -Nru xymon-4.3.17/debian/po/ru.po xymon-4.3.17/debian/po/ru.po
--- xymon-4.3.17/debian/po/ru.po 2014-10-23 14:57:35.000000000 +0200
+++ xymon-4.3.17/debian/po/ru.po 2015-02-03 12:26:32.000000000 +0100
@@ -1,21 +1,21 @@
# translation of ru.po to Russian
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
-# This file is distributed under the same license as the PACKAGE package.
+# This file is distributed under the same license as the xymon package.
#
-# Yuri Kozlov <kozlov.y@gmail.com>, 2007.
+# Yuri Kozlov <kozlov.y@gmail.com>, 2007, 2015.
msgid ""
msgstr ""
-"Project-Id-Version: 4.2.0.dfsg-4\n"
+"Project-Id-Version: xymon 4.3.17-4\n"
"Report-Msgid-Bugs-To: xymon@packages.debian.org\n"
"POT-Creation-Date: 2014-10-23 14:57+0200\n"
-"PO-Revision-Date: 2012-06-13 13:40+0200\n"
-"Last-Translator: Yuri Kozlov <kozlov.y@gmail.com>\n"
+"PO-Revision-Date: 2015-01-24 09:26+0300\n"
+"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
"Language: ru\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-"X-Generator: KBabel 1.11.4\n"
+"X-Generator: Lokalize 1.5\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
@@ -68,7 +68,7 @@
#. Description
#: ../xymon-client.templates:3001
msgid "Automatically migrate old hobbit files to xymon?"
-msgstr ""
+msgstr "Перейти с файлов hobbit на xymon автоматически?"
#. Type: boolean
#. Description
@@ -80,3 +80,10 @@
"usually a good idea, but might not work so well if your config differs "
"substantially from the default."
msgstr ""
+"Системный рабочий пользователь был переименован с «hobbit» в "
+"«xymon», и все настройки, состояние, журнальные каталоги и файлы "
+"также были переименованы. Послеустановочные сценарии пакета "
+"могут выполнить переход автоматически. Обычно, всё проходит хорошо, "
+"но могут возникать ошибки, если ваши настройки сильно отличаются "
+"от настроек по умолчанию."
+
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'buildd-unstable'), (400, 'stable'), (110, 'experimental'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.18.0-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
--- End Message ---