Your message dated Sat, 09 Oct 2021 12:09:40 +0100 with message-id <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for updates in 11.1 has caused the Debian Bug report #993899, regarding bullseye-pu: package btrbk/0.27.1-1.1+deb11u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 993899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993899 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Tue, 7 Sep 2021 21:09:33 +0000 (UTC)
- Message-id: <alpine.DEB.2.21.2109072108190.25458@postfach.intern.alteholz.me>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu The attached debdiff for btrbk fixes CVE-2021-38173 in Bullseye. This CVE is marked as no-dsa by the security team. The same patch was already uploaded to unstable with version 0.27.1-2. Thorstendiff -Nru btrbk-0.27.1/debian/changelog btrbk-0.27.1/debian/changelog --- btrbk-0.27.1/debian/changelog 2021-01-03 13:57:08.000000000 +0100 +++ btrbk-0.27.1/debian/changelog 2021-08-29 19:03:02.000000000 +0200 @@ -1,3 +1,12 @@ +btrbk (0.27.1-1.1+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2021-38173 + fixes a security vulnerability which would have allowed for an + arbitrary code execution + + -- Thorsten Alteholz <debian@alteholz.de> Sun, 29 Aug 2021 19:03:02 +0200 + btrbk (0.27.1-1.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. diff -Nru btrbk-0.27.1/debian/patches/CVE-2021-38173.patch btrbk-0.27.1/debian/patches/CVE-2021-38173.patch --- btrbk-0.27.1/debian/patches/CVE-2021-38173.patch 1970-01-01 01:00:00.000000000 +0100 +++ btrbk-0.27.1/debian/patches/CVE-2021-38173.patch 2021-08-29 19:03:02.000000000 +0200 @@ -0,0 +1,32 @@ +From 58212de771c381cd4fa05625927080bf264e9584 Mon Sep 17 00:00:00 2001 +From: Axel Burri <axel@tty0.ch> +Date: Sun, 21 Mar 2021 12:53:22 +0100 +Subject: [PATCH] ssh_filter_btrbk.sh: fix alternation regex + +Security vulnerability fixed in alternation regex. Specialy crafted +commands may be executed without being propely checked. + +Affects all versions >= btrbk-v0.23.0 + +Regression from: + + ccb5ed5e71 ssh_filter_btrbk: allow "realpath" and "cat /proc/self/mounts" on targets + +Reported by: @protree (responsible disclosure) +--- + ssh_filter_btrbk.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: btrbk-0.27.1/ssh_filter_btrbk.sh +=================================================================== +--- btrbk-0.27.1.orig/ssh_filter_btrbk.sh 2021-08-30 15:04:39.595339393 +0200 ++++ btrbk-0.27.1/ssh_filter_btrbk.sh 2021-08-30 15:04:39.591339393 +0200 +@@ -87,7 +87,7 @@ + return 0 + fi + +- exact_cmd_match="^${allow_exact_list}$"; ++ exact_cmd_match="^(${allow_exact_list})$"; + if [[ $SSH_ORIGINAL_COMMAND =~ $exact_cmd_match ]] ; then + return 0 + fi diff -Nru btrbk-0.27.1/debian/patches/series btrbk-0.27.1/debian/patches/series --- btrbk-0.27.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ btrbk-0.27.1/debian/patches/series 2021-08-29 19:03:02.000000000 +0200 @@ -0,0 +1 @@ +CVE-2021-38173.patch
--- End Message ---
--- Begin Message ---
- To: 992063-done@bugs.debian.org, 992078-done@bugs.debian.org, 992114-done@bugs.debian.org, 992153-done@bugs.debian.org, 992206-done@bugs.debian.org, 992299-done@bugs.debian.org, 992435-done@bugs.debian.org, 992547-done@bugs.debian.org, 992693-done@bugs.debian.org, 992836-done@bugs.debian.org, 992843-done@bugs.debian.org, 992956-done@bugs.debian.org, 992978-done@bugs.debian.org, 993035-done@bugs.debian.org, 993049-done@bugs.debian.org, 993133-done@bugs.debian.org, 993225-done@bugs.debian.org, 993276-done@bugs.debian.org, 993281-done@bugs.debian.org, 993282-done@bugs.debian.org, 993283-done@bugs.debian.org, 993396-done@bugs.debian.org, 993489-done@bugs.debian.org, 993523-done@bugs.debian.org, 993564-done@bugs.debian.org, 993604-done@bugs.debian.org, 993639-done@bugs.debian.org, 993655-done@bugs.debian.org, 993656-done@bugs.debian.org, 993708-done@bugs.debian.org, 993720-done@bugs.debian.org, 993792-done@bugs.debian.org, 993793-done@bugs.debian.org, 993822-done@bugs.debian.org, 993825-done@bugs.debian.org, 993899-done@bugs.debian.org, 993968-done@bugs.debian.org, 994022-done@bugs.debian.org, 994107-done@bugs.debian.org, 994111-done@bugs.debian.org, 994112-done@bugs.debian.org, 994147-done@bugs.debian.org, 994490-done@bugs.debian.org, 994555-done@bugs.debian.org, 994574-done@bugs.debian.org, 994627-done@bugs.debian.org, 994709-done@bugs.debian.org, 994710-done@bugs.debian.org, 994828-done@bugs.debian.org, 994861-done@bugs.debian.org, 994880-done@bugs.debian.org, 994881-done@bugs.debian.org, 994885-done@bugs.debian.org, 994907-done@bugs.debian.org, 994946-done@bugs.debian.org, 995025-done@bugs.debian.org, 995062-done@bugs.debian.org, 995075-done@bugs.debian.org, 995144-done@bugs.debian.org, 995237-done@bugs.debian.org, 995304-done@bugs.debian.org, 995306-done@bugs.debian.org, 995331-done@bugs.debian.org, 995469-done@bugs.debian.org, 995481-done@bugs.debian.org, 994097-done@bugs.debian.org
- Subject: Closing p-u bugs for updates in 11.1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Oct 2021 12:09:40 +0100
- Message-id: <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.1 Hi, The updates relating to these bugs were included in this morning's 11.1 point release for bullseye. Regards, Adam
--- End Message ---