Your message dated Sat, 07 Sep 2019 14:34:49 +0100 with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes including in 10.1 point release has caused the Debian Bug report #932069, regarding buster-pu: calamares-settings-debian 10.0.20-1+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 932069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932069 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: calamares-settings-debian 10.0.20-1+deb10u1
- From: Jonathan Carter <jcc@debian.org>
- Date: Sun, 14 Jul 2019 13:27:33 -0300
- Message-id: <156312165388.8709.5694868079282776240.reportbug@adjutant>
Package: release.debian.org Severity: normal Below is a debfiff for CVE-2019-13179, as discussed with the release team over e-mail: This adds a snipet so that the initramfs will be created with safer permissions when using an encrypted / on a full-disk encrypted system. """ diff -Nru calamares-settings-debian-10.0.20/debian/changelog calamares-settings-debian-10.0.20/debian/changelog --- calamares-settings-debian-10.0.20/debian/changelog 2019-04-18 10:18:37.000000000 +0200 +++ calamares-settings-debian-10.0.20/debian/changelog 2019-07-03 15:05:47.000000000 +0200 @@ -1,3 +1,11 @@ +calamares-settings-debian (10.0.20-1+deb10u1) buster-security; urgency=medium + + * New upstream release + - Fixes permissions for initramfs image when full-desk encryption + is enabled. (CVE-2019-13179) (Closes: #931373) + + -- Jonathan Carter <jcc@debian.org> Wed, 03 Jul 2019 13:05:47 +0000 + calamares-settings-debian (10.0.20-1) unstable; urgency=medium * New upstream release diff -Nru calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions --- calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 1970-01-01 02:00:00.000000000 +0200 +++ calamares-settings-debian-10.0.20/debian/patches/fix-initramfs-permissions 2019-07-03 15:05:47.000000000 +0200 @@ -0,0 +1,26 @@ +Description: fix umask for initramfs permissions + By default, initramfs is world-readable. This configures a snippet + to ensure that the initramfs that will be generated is only accessable + by root. +Author: Jonathan Carter <jcc@debian.org> +Bug-Debian: https://bugs.debian.org/931373 +Bug: https://github.com/calamares/calamares/issues/1191 +Last-Update: 2019-07-08 + +--- calamares-settings-debian-10.0.20.orig/scripts/bootloader-config ++++ calamares-settings-debian-10.0.20/scripts/bootloader-config +@@ -2,6 +2,14 @@ + + CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e "s#/proc##g") + ++# Set secure permissions for the initramfs if we're configuring ++# full-disk-encryption. The initramfs is re-generated later in the ++# installation process so we only set the permissions snippet without ++# regenerating the initramfs right now: ++if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; then ++ echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions ++fi ++ + echo "Running bootloader-config..." + + if [ -d /sys/firmware/efi/efivars ]; then diff -Nru calamares-settings-debian-10.0.20/debian/patches/series calamares-settings-debian-10.0.20/debian/patches/series --- calamares-settings-debian-10.0.20/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ calamares-settings-debian-10.0.20/debian/patches/series 2019-07-03 15:05:47.000000000 +0200 @@ -0,0 +1 @@ +fix-initramfs-permissions """
--- End Message ---
--- Begin Message ---
- To: 930795-done@bugs.debian.org, 931126-done@bugs.debian.org, 931198-done@bugs.debian.org, 931199-done@bugs.debian.org, 931358-done@bugs.debian.org, 931596-done@bugs.debian.org, 931608-done@bugs.debian.org, 931615-done@bugs.debian.org, 931616-done@bugs.debian.org, 931724-done@bugs.debian.org, 931817-done@bugs.debian.org, 931967-done@bugs.debian.org, 932009-done@bugs.debian.org, 932030-done@bugs.debian.org, 932069-done@bugs.debian.org, 932111-done@bugs.debian.org, 932193-done@bugs.debian.org, 932318-done@bugs.debian.org, 932335-done@bugs.debian.org, 932441-done@bugs.debian.org, 932448-done@bugs.debian.org, 932518-done@bugs.debian.org, 932522-done@bugs.debian.org, 932588-done@bugs.debian.org, 932606-done@bugs.debian.org, 932684-done@bugs.debian.org, 932790-done@bugs.debian.org, 932945-done@bugs.debian.org, 933036-done@bugs.debian.org, 933125-done@bugs.debian.org, 933147-done@bugs.debian.org, 933175-done@bugs.debian.org, 933369-done@bugs.debian.org, 933379-done@bugs.debian.org, 933392-done@bugs.debian.org, 933535-done@bugs.debian.org, 933754-done@bugs.debian.org, 933764-done@bugs.debian.org, 933769-done@bugs.debian.org, 933787-done@bugs.debian.org, 933899-done@bugs.debian.org, 933911-done@bugs.debian.org, 933976-done@bugs.debian.org, 934094-done@bugs.debian.org, 934163-done@bugs.debian.org, 934183-done@bugs.debian.org, 934308-done@bugs.debian.org, 934311-done@bugs.debian.org, 934329-done@bugs.debian.org, 934343-done@bugs.debian.org, 934345-done@bugs.debian.org, 934507-done@bugs.debian.org, 934537-done@bugs.debian.org, 934650-done@bugs.debian.org, 934689-done@bugs.debian.org, 934704-done@bugs.debian.org, 934826-done@bugs.debian.org, 934827-done@bugs.debian.org, 934928-done@bugs.debian.org, 934934-done@bugs.debian.org, 934956-done@bugs.debian.org, 935137-done@bugs.debian.org, 935165-done@bugs.debian.org, 935200-done@bugs.debian.org, 935253-done@bugs.debian.org, 935261-done@bugs.debian.org, 935265-done@bugs.debian.org, 935308-done@bugs.debian.org, 935370-done@bugs.debian.org, 935386-done@bugs.debian.org, 935411-done@bugs.debian.org, 935465-done@bugs.debian.org, 935474-done@bugs.debian.org, 935479-done@bugs.debian.org, 935480-done@bugs.debian.org, 935576-done@bugs.debian.org, 935583-done@bugs.debian.org, 935704-done@bugs.debian.org, 935707-done@bugs.debian.org, 935719-done@bugs.debian.org, 935746-done@bugs.debian.org, 935770-done@bugs.debian.org, 935776-done@bugs.debian.org, 935809-done@bugs.debian.org, 935815-done@bugs.debian.org, 935827-done@bugs.debian.org, 935888-done@bugs.debian.org, 935957-done@bugs.debian.org, 935988-done@bugs.debian.org, 936022-done@bugs.debian.org, 936056-done@bugs.debian.org, 938954-done@bugs.debian.org, 938975-done@bugs.debian.org, 939019-done@bugs.debian.org
- Cc: 935588@bugs.debian.org
- Subject: Closing bugs for fixes including in 10.1 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Sep 2019 14:34:49 +0100
- Message-id: <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
Version: 10.1 Hi, The fixes referenced by each of these bugs were included in today's buster point release. Regards, Adam
--- End Message ---