[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928718: marked as done (stretch-pu: groonga/6.1.5-1+deb9u1)

Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #928718,
regarding stretch-pu: groonga/6.1.5-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928718
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

This is stretch pu for groonga-6.1.5-1.

* It fixes #928304

  * debian/groonga-httpd.logrotate
    debian/groonga-server-gqtp.logrotate
    - Mitigate privilege escalation by changing the owner and group of logs
      with "su" option. Reported by Wolfgang Hotwagner.
      (Closes: #928304) (CVE-2019-11675)

I've misunderstood stretch update process, so I've
already uploaded groonga-6.1.5-1+deb9u1.

Mr Adam D. Barratt noticed me it, so I've now filed as stretch-pu.
Thanks!

Here is the debdiff:

 debdiff groonga_6.1.5-1.dsc groonga_6.1.5-1+deb9u1.dsc
diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog      2017-01-23 19:14:09.000000000 +0900
+++ groonga-6.1.5/debian/changelog      2019-05-07 22:33:11.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-1+deb9u1) stretch; urgency=medium
+
+  * debian/groonga-httpd.logrotate
+    debian/groonga-server-gqtp.logrotate
+    - Mitigate privilege escalation by changing the owner and group of logs
+      with "su" option. Reported by Wolfgang Hotwagner.
+      (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <hayashi@clear-code.com>  Tue, 07 May 2019 22:33:11 +0900
+
 groonga (6.1.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate        2016-12-10 15:18:50.000000000 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate        2019-05-07 22:33:11.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/httpd/*.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate  2016-12-10 15:18:50.000000000 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate  2019-05-07 22:33:11.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/*-gqtp.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-server-gqtp

Attachment: groonga_6.1.5-1+deb9u1.debian.tar.xz
Description: application/xz

Attachment: groonga_6.1.5-1+deb9u1.dsc
Description: Binary data

Attachment: groonga_6.1.5-1+deb9u1_source.buildinfo
Description: Binary data

Attachment: groonga_6.1.5-1+deb9u1_source.changes
Description: Binary data


--- End Message ---
--- Begin Message --- 
Version: 9.10

Hi,

The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).

Regards,

Adam

--- End Message ---
Reply to: