Your message dated Sat, 23 Jan 2016 13:57:15 +0000 with message-id <1453557435.1835.52.camel@adam-barratt.org.uk> and subject line 8.3 point release cleanup has caused the Debian Bug report #806247, regarding jessie-pu: package dbconfig-common/1.8.47+nmu3+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 806247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806247 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package dbconfig-common/1.8.47+nmu3
- From: Paul Gevers <elbrus@debian.org>
- Date: Wed, 25 Nov 2015 21:02:11 +0100
- Message-id: <20151125200211.10787.3986.reportbug@ruapehu.marsaxlokk.dhcp.io>
Package: release.debian.org Severity: normal Tags: jessie wheezy User: release.debian.org@packages.debian.org Usertags: pu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Stable Release Managers, I come to you with this request after discussion with the security team. Because the issue I describe below only manifest itself upon database upgrades, which are extremely rare in a stable release, they consider it more appropriate for a SRU than for a DSA. Recently a security issue¹ was reported against my package dbconfig-common. dbconfig-common is a Debian helper package for packages that require data in a database. The issue is that backups made by dbconfig-common during updates that involve PostgreSQL databases end up in files that may be readable by every user on the system (depending on the umask) because file permissions are not properly enforced. The code sets the umask but only after the file is created. The fix is simple, move the lines creating the files and setting the ownership to after the change of the umask (see below the patch for unstable). Apart from fixing the issue for creation of new files, the original reporter was suggesting to fix the permissions of already created files as well. What would your opinion be on that matter? I haven't created a proper patch for that yet, but it should simply chmod all the files in /var/cache/dbconfig-common/backups during installation of dbconfig-common. I will start to work on a proper debdiff, but I appreciate it to know if I should include the fixing of existing files in it. Paul Current maintainer of dbconfig-common ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805638 - --- /usr/share/dbconfig-common/internal/pgsql.orig 2014-11-02 21:54:07.000000000 +0100 +++ /usr/share/dbconfig-common/internal/pgsql 2015-11-21 13:49:04.863637686 +0100 @@ -174,14 +174,14 @@ local extra retval PGSSLMODE localuser _dbc_asuser dumpfile old_umask dumpfile=$1 localuser=`_dbc_psql_local_username` - - touch $dumpfile - - chown $localuser $dumpfile PGSSLMODE="prefer" retval=0 _dbc_psql_cmd_setup if [ "$dbc_ssl" ]; then PGSSLMODE="require"; fi old_umask=`umask` umask 0066 + touch $dumpfile + chown $localuser $dumpfile extra=`_dbc_psql_cmd_args` extra="-f \"$dumpfile\" $extra" _dbc_debug "su -s /bin/sh $localuser -c \"env HOME='$_dbc_pgsql_tmpdir' PGPASSFILE='$_dbc_pgsql_tmpdir/.pgpass' PGSSLMODE='$PGSSLMODE' pg_dump $extra $dbc_dbname\" 2>&1" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJWVhO9AAoJEJxcmesFvXUKH/AIAMC+y4ZZc8kmeF09lqv1U4/b vqvTjovDu0X9vSrK7/Urfdzo38mlOgrufRFlqFqbkMhXCph5nm+OQyRagxRbTl9K dFSD3fhf5axzpQThnim+qBbYNl/yzq+J4W/NQQGws+TO1xGlMTnNmb6W8Uf1+ca1 kFIFa370+Rv+d21NaJk6Y/RE1uR9V7yGnJNRSM5zwTo/zzN6XECJPCYklMRpnmA/ DVxnKT0LZHqAFr5q1L07bvjgGhx0xMk0ObVUvkgPH2fnxdWlBVXoXQQ6L7C0OcJq thYQqGVH1Ef9g93gtjkBAGVaUjBFcHfApHHLZojX3Jg0P324GC3NCvM14ZrTObk= =4Qe0 -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
- To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
- Subject: 8.3 point release cleanup
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jan 2016 13:57:15 +0000
- Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3 Hi, The updates referred to in these bugs were included in today's 8.3 Jessie point release. Regards, Adam
--- End Message ---