[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#954716: marked as done (buster-pu: package suricata/1:4.1.2-2)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #954716,
regarding buster-pu: package suricata/1:4.1.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
954716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954716
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I would like to propose an update for the version of suricata in buster
(4.1.2-2). It addresses a problem with dropping privileges when started
wn a particular runmode, which would otherwise fail in this version.
Upstream has merged this patch already [1] and it has been included in
the current version in unstable (5.0.2) [2] which the original patch author
backported to 4.1.2 to allow fixing it in buster as well.

The correponding bug in Debian is #951181 [3] -- it has the required
severity of important and describes the issue in more detail.

I have also attached a debdiff of the proposed changes to the source
package. It buildis fine in a buster chroot and all autopkgtests succeed
with no issues in a buster LXC container.

Please let me know what the next steps would be. Thanks!

Best regards
Sascha Steinbiss

[1] https://github.com/OISF/suricata/commit/1262ecbde0c2130f3fd4ca336cd2646828de9391
[2] https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951181

diff -Nru suricata-4.1.2/debian/changelog suricata-4.1.2/debian/changelog
--- suricata-4.1.2/debian/changelog	2019-01-09 12:53:47.000000000 +0100
+++ suricata-4.1.2/debian/changelog	2020-03-22 12:07:13.000000000 +0100
@@ -1,3 +1,10 @@
+suricata (1:4.1.2-2+deb10u1) buster; urgency=medium
+
+  * Include patch for issue fixed upstream, see bug report below.
+    Closes: #951181
+
+ -- Sascha Steinbiss <satta@debian.org>  Sun, 22 Mar 2020 12:07:13 +0100
+
 suricata (1:4.1.2-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
--- suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch	1970-01-01 01:00:00.000000000 +0100
+++ suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch	2020-03-22 12:06:40.000000000 +0100
@@ -0,0 +1,37 @@
+From: Timo Sigurdsson <public_timo.s@silentcreek.de>
+Date: Tue, 11 Feb 2020 23:29:06 +0100
+Subject: [PATCH] init: Fix dropping privileges in nflog runmode
+
+Using the run-as configuration option with the nflog capture method
+results in the following error during the startup of suricata:
+[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed
+
+This is because SCDropMainThreadCaps does not have any capabilities
+defined for the nflog runmode (unlike other runmodes). Therefore, apply
+the same capabilities to the nflog runmode that are already defined for
+the nfqueue runmode. This has been confirmed to allow suricata start
+and drop its privileges in the nflog runmode.
+
+Fixes redmine issue #3265.
+
+Backport of commit 1262ecb upstream to suricata 4.1.2 (Debian Buster).
+
+Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
+---
+ src/util-privs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/util-privs.c
++++ b/src/util-privs.c
+@@ -75,9 +75,10 @@
+                     CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
+                     -1);
+             break;
++        case RUNMODE_NFLOG:
+         case RUNMODE_NFQ:
+             capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-                    CAP_NET_ADMIN,          /* needed for nfqueue inline mode */
++                    CAP_NET_ADMIN,          /* needed for nflog and nfqueue inline mode */
+                     CAP_SYS_NICE,
+                     -1);
+             break;
diff -Nru suricata-4.1.2/debian/patches/series suricata-4.1.2/debian/patches/series
--- suricata-4.1.2/debian/patches/series	2019-01-09 12:19:12.000000000 +0100
+++ suricata-4.1.2/debian/patches/series	2020-03-22 12:06:05.000000000 +0100
@@ -4,3 +4,4 @@
 no-use-gnu.patch
 suricata-common-last.patch
 fix-repeated-builds.patch
+backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: