Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please approve sysstat 12.0.3, which is upstream bugfix release,
for uploading to unstable and migrating to testing.
The upstream release contains fix for CVE-2018-19416 [1] and
CVE-2018-19517 [2]; however the patch [3] is not easily applicable
to the version in buster (12.0.1-1), because it depends on another
patch [4], which contains a fix for a backward compatibility issue
introduced in 12.0.1. Apart from the two quite a big patches, the
new upstream a few smaller fixes, like the one related to a fix
for infinite loop [5]. In my opinion it should be quite safe to
allow it for buster, most probably safer than trying to backport
the patch [3] to 12.0.1 with getting rid of dependency on [4].
The debian packaging part contains fixes for two small regressions
against current stretch version of sysstat: one is for init
script failure when systemd is not used [6], and another one is for
unnecessary execution of systemd service file during upgrades.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914384
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914553
[3] https://github.com/sysstat/sysstat/commit/bf203d645110ecba8ec3a37874b577ce40a2788b
[4] https://github.com/sysstat/sysstat/commit/87bce40bc02ff77edee44a7b9d8233ae6a056012
[5] https://github.com/sysstat/sysstat/commit/45de3c27697d9c1c4d8feb12c865d1fe53ce45bf
[6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924864
I uploaded systat 12.0.3-1 to experimental a few days ago with the
following changelog:
sysstat (12.0.3-1) experimental; urgency=medium
* New upstream stable version:
+ sadf: Fix out of bound reads security issues (CVE-2018-19416 and
CVE-2018-19517, closes: #914384, #914553);
+ sadf: Fix possible infinite loop;
+ sar: Fortify remap_struct() function to prevent possible crashes on
reading binary datafiles generated by older versions of sysstat.
* systat.init.d: revert a change introduced in 11.5.5-1, as it caused
the start script to fail to execute the command that adds "Linux Restart"
marker into statistics file on systems on which systemd is not used.
Thanks to Georgios Zarkadas for noticing this (closes: #924864).
* debian/rules: replace deprecated dh_systemd_start by dh_installsystemd,
as suggested by lintian; the former command wass ignored by debhelper v11,
what in turn resulted in the `--no-start' option being ignored, and the
restart markers were incorrectly added during package upgrades.
-- Robert Luberda <robert@debian.org> Sun, 17 Mar 2019 23:09:46 +0100
The debdiff against buster is attached.
If you think this version would be OK for buster, then I can upload -2
to unstable, with no other changes, except for Debian changelog entry.
Otherwise please let me know what would you approve, and what I should do:
- backport patch [3] only (but I don't think this would be safer);
- backport both patches, i.e. [3], and [4] (but those are the biggest ones);
- something else.
Regards,
robert
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (990, 'unstable-debug'), (990, 'stable-updates'), (990, 'unstable'), (990, 'testing'), (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Attachment:
sysstat_12.0.3-1.diff.gz
Description: application/gzip
Attachment:
signature.asc
Description: PGP signature