[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#970349: buster-pu: package icinga2/2.10.3-2+deb10u1

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

icinga2 is buster is affected by CVE-2020-14004 as reported in #970252.

As it was deemed no-dsa it should be fixed via stable update.

Kind Regards,

Bas

diff -Nru icinga2-2.10.3/debian/changelog icinga2-2.10.3/debian/changelog
--- icinga2-2.10.3/debian/changelog	2019-03-01 12:18:30.000000000 +0100
+++ icinga2-2.10.3/debian/changelog	2020-09-14 06:47:22.000000000 +0200
@@ -1,3 +1,12 @@
+icinga2 (2.10.3-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Update branch in gbp.conf & Vcs-Git URL.
+  * Add upstream patch to fix CVE-2020-14004.
+    (closes: #970252)
+
+ -- Bas Couwenberg <sebastic@debian.org>  Mon, 14 Sep 2020 06:47:22 +0200
+
 icinga2 (2.10.3-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru icinga2-2.10.3/debian/control icinga2-2.10.3/debian/control
--- icinga2-2.10.3/debian/control	2018-12-25 23:27:26.000000000 +0100
+++ icinga2-2.10.3/debian/control	2020-09-14 06:47:22.000000000 +0200
@@ -29,7 +29,7 @@
                po-debconf
 Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-icinga2
-Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git
+Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git -b buster
 Homepage: https://icinga.com
 
 Package: icinga2
diff -Nru icinga2-2.10.3/debian/gbp.conf icinga2-2.10.3/debian/gbp.conf
--- icinga2-2.10.3/debian/gbp.conf	2018-12-12 08:10:41.000000000 +0100
+++ icinga2-2.10.3/debian/gbp.conf	2020-09-14 06:47:22.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = buster
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch
--- icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch	1970-01-01 01:00:00.000000000 +0100
+++ icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch	2020-09-14 06:47:22.000000000 +0200
@@ -0,0 +1,23 @@
+Description: prepare-dirs: combine mkdir and chmod
+ Fixes CVE-2020-14004
+Author: "Alexander A. Klimov" <alexander.klimov@icinga.com>
+Origin: https://github.com/Icinga/icinga2/commit/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6
+Bug: https://github.com/Icinga/icinga2/pull/8046
+
+--- a/etc/initsystem/prepare-dirs.cmake
++++ b/etc/initsystem/prepare-dirs.cmake
+@@ -26,12 +26,10 @@ getent group $ICINGA2_GROUP >/dev/null 2
+ getent group $ICINGA2_COMMAND_GROUP >/dev/null 2>&1 || (echo "Icinga command group '$ICINGA2_COMMAND_GROUP' does not exist. Exiting." && exit 6)
+ 
+ if [ ! -e "$ICINGA2_INIT_RUN_DIR" ]; then
+-	mkdir "$ICINGA2_INIT_RUN_DIR"
+-	mkdir "$ICINGA2_INIT_RUN_DIR"/cmd
++	mkdir -m 755 "$ICINGA2_INIT_RUN_DIR"
++	mkdir -m 2750 "$ICINGA2_INIT_RUN_DIR"/cmd
+ fi
+ 
+-chmod 755 "$ICINGA2_INIT_RUN_DIR"
+-chmod 2750 "$ICINGA2_INIT_RUN_DIR"/cmd
+ chown -R $ICINGA2_USER:$ICINGA2_COMMAND_GROUP "$ICINGA2_INIT_RUN_DIR"
+ 
+ test -e "$ICINGA2_LOG_DIR" || install -m 750 -o $ICINGA2_USER -g $ICINGA2_COMMAND_GROUP -d "$ICINGA2_LOG_DIR"
diff -Nru icinga2-2.10.3/debian/patches/series icinga2-2.10.3/debian/patches/series
--- icinga2-2.10.3/debian/patches/series	2019-03-01 12:17:29.000000000 +0100
+++ icinga2-2.10.3/debian/patches/series	2020-09-14 06:47:22.000000000 +0200
@@ -1,3 +1,4 @@
 21_config_changes
 postgres-checkcommand.patch
 comparepasswords_issafe.patch
+0001-prepare-dirs-combine-mkdir-and-chmod.patch
Reply to: