Your message dated Mon, 08 Apr 2019 14:26:18 +0000 with message-id <E1hDVE2-0004LV-Tt@respighi.debian.org> and subject line unblock sysstat has caused the Debian Bug report #925185, regarding unblock sysstat/12.0.3-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 925185: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925185 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock pre-approval: sysstat/12.0.3-1 (actually 12.0.3-2)
- From: Robert Luberda <robert@debian.org>
- Date: Wed, 20 Mar 2019 23:41:50 +0100
- Message-id: <20190320224150.GA3068@vox.robbo.home>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please approve sysstat 12.0.3, which is upstream bugfix release, for uploading to unstable and migrating to testing. The upstream release contains fix for CVE-2018-19416 [1] and CVE-2018-19517 [2]; however the patch [3] is not easily applicable to the version in buster (12.0.1-1), because it depends on another patch [4], which contains a fix for a backward compatibility issue introduced in 12.0.1. Apart from the two quite a big patches, the new upstream a few smaller fixes, like the one related to a fix for infinite loop [5]. In my opinion it should be quite safe to allow it for buster, most probably safer than trying to backport the patch [3] to 12.0.1 with getting rid of dependency on [4]. The debian packaging part contains fixes for two small regressions against current stretch version of sysstat: one is for init script failure when systemd is not used [6], and another one is for unnecessary execution of systemd service file during upgrades. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914384 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914553 [3] https://github.com/sysstat/sysstat/commit/bf203d645110ecba8ec3a37874b577ce40a2788b [4] https://github.com/sysstat/sysstat/commit/87bce40bc02ff77edee44a7b9d8233ae6a056012 [5] https://github.com/sysstat/sysstat/commit/45de3c27697d9c1c4d8feb12c865d1fe53ce45bf [6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924864 I uploaded systat 12.0.3-1 to experimental a few days ago with the following changelog: sysstat (12.0.3-1) experimental; urgency=medium * New upstream stable version: + sadf: Fix out of bound reads security issues (CVE-2018-19416 and CVE-2018-19517, closes: #914384, #914553); + sadf: Fix possible infinite loop; + sar: Fortify remap_struct() function to prevent possible crashes on reading binary datafiles generated by older versions of sysstat. * systat.init.d: revert a change introduced in 11.5.5-1, as it caused the start script to fail to execute the command that adds "Linux Restart" marker into statistics file on systems on which systemd is not used. Thanks to Georgios Zarkadas for noticing this (closes: #924864). * debian/rules: replace deprecated dh_systemd_start by dh_installsystemd, as suggested by lintian; the former command wass ignored by debhelper v11, what in turn resulted in the `--no-start' option being ignored, and the restart markers were incorrectly added during package upgrades. -- Robert Luberda <robert@debian.org> Sun, 17 Mar 2019 23:09:46 +0100 The debdiff against buster is attached. If you think this version would be OK for buster, then I can upload -2 to unstable, with no other changes, except for Debian changelog entry. Otherwise please let me know what would you approve, and what I should do: - backport patch [3] only (but I don't think this would be safer); - backport both patches, i.e. [3], and [4] (but those are the biggest ones); - something else. Regards, robert -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (990, 'unstable-debug'), (990, 'stable-updates'), (990, 'unstable'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)Attachment: sysstat_12.0.3-1.diff.gz
Description: application/gzipAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 925185-done@bugs.debian.org
- Subject: unblock sysstat
- From: Ivo De Decker <ivodd@respighi.debian.org>
- Date: Mon, 08 Apr 2019 14:26:18 +0000
- Message-id: <E1hDVE2-0004LV-Tt@respighi.debian.org>
Unblocked sysstat.
--- End Message ---