--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock groonga package:
* It fixes #928304.
The bug is reported against 6.1.5-1 on stretch, but it need to be fixed on testing and unstable package too. so I've prepared the update.
Note that it is already packages on testing (9.0.0-1) and unstable (9.0.1-1).
9.0.1-1 contains unrelated changes to #928304, so based on freeze policy,
it seems that update package (9.0.0-1+deb10u1) should be uploaded to testing-proposed-updates explicitly.
Here is the debdiff:
debdiff groonga_9.0.0-1.dsc groonga_9.0.0-1+deb10u1.dsc
diff -Nru groonga-9.0.0/debian/changelog groonga-9.0.0/debian/changelog
--- groonga-9.0.0/debian/changelog 2019-02-09 22:13:00.000000000 +0900
+++ groonga-9.0.0/debian/changelog 2019-05-09 22:44:57.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium
+
+ * debian/groonga-httpd.logrotate
+ debian/groonga-server-gqtp.logrotate
+ - Mitigate privilege escalation by changing the owner and group of logs
+ with "su" option. Reported by Wolfgang Hotwagner.
+ (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <hayashi@clear-code.com> Thu, 09 May 2019 22:44:57 +0900
+
groonga (9.0.0-1) unstable; urgency=medium
* New upstream version 9.0.0
diff -Nru groonga-9.0.0/debian/groonga-httpd.logrotate groonga-9.0.0/debian/groonga-httpd.logrotate
--- groonga-9.0.0/debian/groonga-httpd.logrotate 2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-httpd.logrotate 2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/httpd/*.log {
+ su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
- create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
diff -Nru groonga-9.0.0/debian/groonga-server-gqtp.logrotate groonga-9.0.0/debian/groonga-server-gqtp.logrotate
--- groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/*-gqtp.log {
+ su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
- create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-server-gqtp
diff -Nru groonga-9.0.0/debian/changelog groonga-9.0.0/debian/changelog
--- groonga-9.0.0/debian/changelog 2019-02-09 22:13:00.000000000 +0900
+++ groonga-9.0.0/debian/changelog 2019-05-09 22:44:57.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium
+
+ * debian/groonga-httpd.logrotate
+ debian/groonga-server-gqtp.logrotate
+ - Mitigate privilege escalation by changing the owner and group of logs
+ with "su" option. Reported by Wolfgang Hotwagner.
+ (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <hayashi@clear-code.com> Thu, 09 May 2019 22:44:57 +0900
+
groonga (9.0.0-1) unstable; urgency=medium
* New upstream version 9.0.0
diff -Nru groonga-9.0.0/debian/groonga-httpd.logrotate groonga-9.0.0/debian/groonga-httpd.logrotate
--- groonga-9.0.0/debian/groonga-httpd.logrotate 2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-httpd.logrotate 2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/httpd/*.log {
+ su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
- create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
diff -Nru groonga-9.0.0/debian/groonga-server-gqtp.logrotate groonga-9.0.0/debian/groonga-server-gqtp.logrotate
--- groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-02-09 22:12:32.000000000 +0900
+++ groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-05-09 22:43:28.000000000 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/*-gqtp.log {
+ su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
- create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-server-gqtp
--- End Message ---
--- Begin Message ---
Niels Thykier:
> Control: tags -1 moreinfo confirmed
>
> On Thu, 9 May 2019 23:10:14 +0900 Kentaro Hayashi
> <hayashi@clear-code.com> wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock groonga package:
>>
>> * It fixes #928304.
>> The bug is reported against 6.1.5-1 on stretch, but it need to be fixed on testing and unstable package too. so I've prepared the update.
>>
>> Note that it is already packages on testing (9.0.0-1) and unstable (9.0.1-1).
>> 9.0.1-1 contains unrelated changes to #928304, so based on freeze policy,
>> it seems that update package (9.0.0-1+deb10u1) should be uploaded to testing-proposed-updates explicitly.
>>
>> Here is the debdiff:
>>
>> [...]
>
> Hi,
>
> Please go ahead with the upload and remove the moreinfo tag when the
> upload is in tpu and ready to be unblocked.
>
> Thanks,
> ~Niels
>
Hi,
I saw the upload and have added the approval hint for it. Please ensure
that the builds complete successfully and let us know if there are
issues with the migration.
Thanks,
~Niels
--- End Message ---