Bug#928718: stretch-pu: groonga/6.1.5-1+deb9u1

To: submit@bugs.debian.org
Cc: debian-release@lists.debian.org, team@security.debian.org
Subject: Bug#928718: stretch-pu: groonga/6.1.5-1+deb9u1
From: Kentaro Hayashi <hayashi@clear-code.com>
Date: Thu, 9 May 2019 23:55:53 +0900
Message-id: <[🔎] 20190509235553.2e1ed29c9fa520194a495e06@clear-code.com>
Reply-to: Kentaro Hayashi <hayashi@clear-code.com>, 928718@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

This is stretch pu for groonga-6.1.5-1.

* It fixes #928304

  * debian/groonga-httpd.logrotate
    debian/groonga-server-gqtp.logrotate
    - Mitigate privilege escalation by changing the owner and group of logs
      with "su" option. Reported by Wolfgang Hotwagner.
      (Closes: #928304) (CVE-2019-11675)

I've misunderstood stretch update process, so I've
already uploaded groonga-6.1.5-1+deb9u1.

Mr Adam D. Barratt noticed me it, so I've now filed as stretch-pu.
Thanks!

Here is the debdiff:

 debdiff groonga_6.1.5-1.dsc groonga_6.1.5-1+deb9u1.dsc
diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog      2017-01-23 19:14:09.000000000 +0900
+++ groonga-6.1.5/debian/changelog      2019-05-07 22:33:11.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-1+deb9u1) stretch; urgency=medium
+
+  * debian/groonga-httpd.logrotate
+    debian/groonga-server-gqtp.logrotate
+    - Mitigate privilege escalation by changing the owner and group of logs
+      with "su" option. Reported by Wolfgang Hotwagner.
+      (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <hayashi@clear-code.com>  Tue, 07 May 2019 22:33:11 +0900
+
 groonga (6.1.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate        2016-12-10 15:18:50.000000000 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate        2019-05-07 22:33:11.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/httpd/*.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate  2016-12-10 15:18:50.000000000 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate  2019-05-07 22:33:11.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/*-gqtp.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-server-gqtp

Attachment: groonga_6.1.5-1+deb9u1.debian.tar.xz
Description: application/xz

Attachment: groonga_6.1.5-1+deb9u1.dsc
Description: Binary data

Attachment: groonga_6.1.5-1+deb9u1_source.buildinfo
Description: Binary data

Attachment: groonga_6.1.5-1+deb9u1_source.changes
Description: Binary data

Reply to:

Follow-Ups:
- Bug#928718: stretch-pu: groonga/6.1.5-1+deb9u1
  - From: Kentaro Hayashi <hayashi@clear-code.com>
- Bug#928718: groonga 6.1.5-1+deb9u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Processed: groonga 6.1.5-1+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: groonga 6.1.5-1+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Your "groonga" stable upload
Next by Date: Re: Your "groonga" stable upload
Previous by thread: Bug#928715: marked as done (testing-pu: groonga/9.0.0-1+deb10u1)
Next by thread: Bug#928718: stretch-pu: groonga/6.1.5-1+deb9u1
Index(es):
- Date
- Thread