Bug#928715: marked as done (testing-pu: groonga/9.0.0-1+deb10u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 11 May 2019 13:24:00 +0000
with message-id <f5ec3970-49a5-b333-f034-89eaeb89aede@thykier.net>
and subject line Re: Bug#928715: testing-pu: groonga/9.0.0-1+deb10u1
has caused the Debian Bug report #928715,
regarding testing-pu: groonga/9.0.0-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928715: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928715
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Cc: henrich@debian.org, team@security.debian.org
• Subject: testing-pu: groonga/9.0.0-1+deb10u1
• From: Kentaro Hayashi <hayashi@clear-code.com>
• Date: Thu, 9 May 2019 23:10:14 +0900
• Message-id: <[🔎] 20190509231014.2eb5ed329036e9aedb2a1189@clear-code.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock groonga package:

* It fixes #928304.
  The bug is reported against 6.1.5-1 on stretch, but it need to be fixed on testing and unstable package too. so I've prepared the update.

Note that it is already packages on testing (9.0.0-1) and unstable (9.0.1-1).
 9.0.1-1 contains unrelated changes to #928304, so based on freeze policy,
it seems that update package (9.0.0-1+deb10u1) should be uploaded to testing-proposed-updates explicitly.

Here is the debdiff:

debdiff groonga_9.0.0-1.dsc groonga_9.0.0-1+deb10u1.dsc
diff -Nru groonga-9.0.0/debian/changelog groonga-9.0.0/debian/changelog
--- groonga-9.0.0/debian/changelog      2019-02-09 22:13:00.000000000 +0900
+++ groonga-9.0.0/debian/changelog      2019-05-09 22:44:57.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium
+
+  * debian/groonga-httpd.logrotate
+    debian/groonga-server-gqtp.logrotate
+    - Mitigate privilege escalation by changing the owner and group of logs
+      with "su" option. Reported by Wolfgang Hotwagner.
+      (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <hayashi@clear-code.com>  Thu, 09 May 2019 22:44:57 +0900
+
 groonga (9.0.0-1) unstable; urgency=medium
 
   * New upstream version 9.0.0
diff -Nru groonga-9.0.0/debian/groonga-httpd.logrotate groonga-9.0.0/debian/groonga-httpd.logrotate
--- groonga-9.0.0/debian/groonga-httpd.logrotate        2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-httpd.logrotate        2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/httpd/*.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-httpd
diff -Nru groonga-9.0.0/debian/groonga-server-gqtp.logrotate groonga-9.0.0/debian/groonga-server-gqtp.logrotate
--- groonga-9.0.0/debian/groonga-server-gqtp.logrotate  2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-server-gqtp.logrotate  2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/*-gqtp.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-server-gqtp

diff -Nru groonga-9.0.0/debian/changelog groonga-9.0.0/debian/changelog
--- groonga-9.0.0/debian/changelog	2019-02-09 22:13:00.000000000 +0900
+++ groonga-9.0.0/debian/changelog	2019-05-09 22:44:57.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium
+
+  * debian/groonga-httpd.logrotate
+    debian/groonga-server-gqtp.logrotate
+    - Mitigate privilege escalation by changing the owner and group of logs
+      with "su" option. Reported by Wolfgang Hotwagner.
+      (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <hayashi@clear-code.com>  Thu, 09 May 2019 22:44:57 +0900
+
 groonga (9.0.0-1) unstable; urgency=medium
 
   * New upstream version 9.0.0
diff -Nru groonga-9.0.0/debian/groonga-httpd.logrotate groonga-9.0.0/debian/groonga-httpd.logrotate
--- groonga-9.0.0/debian/groonga-httpd.logrotate	2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-httpd.logrotate	2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/httpd/*.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-httpd
diff -Nru groonga-9.0.0/debian/groonga-server-gqtp.logrotate groonga-9.0.0/debian/groonga-server-gqtp.logrotate
--- groonga-9.0.0/debian/groonga-server-gqtp.logrotate	2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-server-gqtp.logrotate	2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/*-gqtp.log {
+    su groonga groonga
     daily
     missingok
     rotate 30
     compress
     delaycompress
     notifempty
-    create 640 groonga groonga
     sharedscripts
     postrotate
         . /etc/default/groonga-server-gqtp

--- End Message ---

--- Begin Message ---

• To: 928715-done@bugs.debian.org, Kentaro Hayashi <hayashi@clear-code.com>
• Subject: Re: Bug#928715: testing-pu: groonga/9.0.0-1+deb10u1
• From: Niels Thykier <niels@thykier.net>
• Date: Sat, 11 May 2019 13:24:00 +0000
• Message-id: <f5ec3970-49a5-b333-f034-89eaeb89aede@thykier.net>
• In-reply-to: <[🔎] 90a17c9b-9fe4-794f-e78e-d81c5a5abdb3@thykier.net>
• References: <[🔎] 20190509231014.2eb5ed329036e9aedb2a1189@clear-code.com> <[🔎] 20190509231014.2eb5ed329036e9aedb2a1189@clear-code.com> <[🔎] 20190509231014.2eb5ed329036e9aedb2a1189@clear-code.com> <[🔎] 90a17c9b-9fe4-794f-e78e-d81c5a5abdb3@thykier.net>

Niels Thykier:
> Control: tags -1 moreinfo confirmed
> 
> On Thu, 9 May 2019 23:10:14 +0900 Kentaro Hayashi
> <hayashi@clear-code.com> wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock groonga package:
>>
>> * It fixes #928304.
>>   The bug is reported against 6.1.5-1 on stretch, but it need to be fixed on testing and unstable package too. so I've prepared the update.
>>
>> Note that it is already packages on testing (9.0.0-1) and unstable (9.0.1-1).
>>  9.0.1-1 contains unrelated changes to #928304, so based on freeze policy,
>> it seems that update package (9.0.0-1+deb10u1) should be uploaded to testing-proposed-updates explicitly.
>>
>> Here is the debdiff:
>>
>> [...]
> 
> Hi,
> 
> Please go ahead with the upload and remove the moreinfo tag when the
> upload is in tpu and ready to be unblocked.
> 
> Thanks,
> ~Niels
> 

Hi,

I saw the upload and have added the approval hint for it.  Please ensure
that the builds complete successfully and let us know if there are
issues with the migration.

Thanks,
~Niels

--- End Message ---