Your message dated Sat, 09 Jul 2022 11:47:43 +0100 with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 11.4 has caused the Debian Bug report #1004580, regarding bullseye-pu: package logrotate/3.18.0-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1004580: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004580 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package logrotate/3.18.0-2
- From: Christian Göttsche <cgzones@googlemail.com>
- Date: Sun, 30 Jan 2022 19:23:20 +0100
- Message-id: <CAJ2a_DfX75SEfrthxNCDPDCHtDJ2ao2D_wCnLkK66LeZXeygoA@mail.gmail.com>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: bullseye X-Debbugs-Cc: cgzones@googlemail.com Severity: normal [ Reason ] Logrotate does not reject invalid files as configuration files and tries to parse at least parts of them. Those files for example might be crafted coredumps, placed in /etc/logrotate.d/ via an unsafe core dump handler. Be more strict while parsing configuration files. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002022 https://github.com/logrotate/logrotate/pull/427 https://www.openwall.com/lists/oss-security/2021/10/20/2 Also include two other fixes, one using the correct stat information when verifying an olddir configuration after creating the olddir, the other advancing pointer in full_write on incomplete write to avoid data corruption. [ Impact ] With an unsafe coredump handler logrotate can be used in an exploit chain to execute arbitrary code. Since logrotate is not the main culprit, there might still be alternatives. [ Tests ] The changes are all part of the recent logrotate release 3.19.0. [ Risks ] Since the configuration parser gets much stricter previously accepted, but unsharp, files may become invalid, leading to logrotate not rotating the files related to that section. A failure of logrotate is handled by systemd by setting the service state to "failed" and the system status to "degraded". Cron might send an email with the command output. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (everything is included in 3.19.0-1)Attachment: logrotate-3.18.0-2+deb11u1.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 1000355-done@bugs.debian.org, 1003261-done@bugs.debian.org, 1003713-done@bugs.debian.org, 1004459-done@bugs.debian.org, 1004580-done@bugs.debian.org, 1005129-done@bugs.debian.org, 1005135-done@bugs.debian.org, 1005231-done@bugs.debian.org, 1005237-done@bugs.debian.org, 1005252-done@bugs.debian.org, 1005256-done@bugs.debian.org, 1006316-done@bugs.debian.org, 1006504-done@bugs.debian.org, 1007714-done@bugs.debian.org, 1007762-done@bugs.debian.org, 1008045-done@bugs.debian.org, 1008153-done@bugs.debian.org, 1008161-done@bugs.debian.org, 1008162-done@bugs.debian.org, 1008166-done@bugs.debian.org, 1008168-done@bugs.debian.org, 1008268-done@bugs.debian.org, 1008577-done@bugs.debian.org, 1009077-done@bugs.debian.org, 1009250-done@bugs.debian.org, 1009345-done@bugs.debian.org, 1009363-done@bugs.debian.org, 1009726-done@bugs.debian.org, 1010037-done@bugs.debian.org, 1010050-done@bugs.debian.org, 1010058-done@bugs.debian.org, 1010194-done@bugs.debian.org, 1010211-done@bugs.debian.org, 1010304-done@bugs.debian.org, 1010383-done@bugs.debian.org, 1010439-done@bugs.debian.org, 1010613-done@bugs.debian.org, 1010857-done@bugs.debian.org, 1010924-done@bugs.debian.org, 1010963-done@bugs.debian.org, 1011022-done@bugs.debian.org, 1011198-done@bugs.debian.org, 1011271-done@bugs.debian.org, 1011287-done@bugs.debian.org, 1011331-done@bugs.debian.org, 1011359-done@bugs.debian.org, 1011365-done@bugs.debian.org, 1011426-done@bugs.debian.org, 1011746-done@bugs.debian.org, 1011939-done@bugs.debian.org, 1011942-done@bugs.debian.org, 1012033-done@bugs.debian.org, 1012047-done@bugs.debian.org, 1012140-done@bugs.debian.org, 1012322-done@bugs.debian.org, 1012323-done@bugs.debian.org, 1012331-done@bugs.debian.org, 1012553-done@bugs.debian.org, 1012585-done@bugs.debian.org, 1012723-done@bugs.debian.org, 1013237-done@bugs.debian.org, 1013306-done@bugs.debian.org, 1013418-done@bugs.debian.org, 1013755-done@bugs.debian.org, 1013879-done@bugs.debian.org, 1013880-done@bugs.debian.org, 1013944-done@bugs.debian.org, 1014014-done@bugs.debian.org, 1014054-done@bugs.debian.org, 1014079-done@bugs.debian.org, 1014199-done@bugs.debian.org, 1014206-done@bugs.debian.org, 1014221-done@bugs.debian.org
- Subject: Closing requests for updates included in 11.4
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Jul 2022 11:47:43 +0100
- Message-id: <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.4 (re-sending with fixed bug numbers) Hi, The updates discussed in these bugs were included in today's bullseye point release. Regards, Adam
--- End Message ---