[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1054189: marked as done (bullseye-pu: package debian-security-support/1:11+2023.12.11)

Your message dated Sat, 10 Feb 2024 13:02:55 +0000
with message-id <E1rYn0R-002xpX-IG@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1054189,
regarding bullseye-pu: package debian-security-support/1:11+2023.12.11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1054189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054189
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-security-support@packages.debian.org
Control: affects -1 + src:debian-security-support

Dear release team,

[ Reason ]
The reasons for this proposed update are:
* Fix two bugs already solved in bookworm (#986581 and #986333)
* Include samba in the list of packages with limited support (#1053109).

Currently, because of #986581 and #986333, d-d-s's check-support-status
silently ignores "golang*" packages, so users don't get any warning
about their limited support status.

[ Impact ]
Bullseye users will continue to don't get any warning about the limited
support regarding the golang.* packages installed in their systems.

As for the samba-related change, without the upload, users will lose a
change to get informed about its security support situation.

[ Tests ]
The changes include tests to verify #986581 and #986333 have been fixed.
I have also manually verified on a bullseye container how the current
and the proposed packages behave, and I can confirm the issues are
fixed, and I didn't identify any regression.

[ Risks ]
The relevant code has been included in bookworm since its release. They
were fully included in 1:12+2021.09.30:
https://tracker.debian.org/news/1263114/accepted-debian-security-support-11220210930-source-into-unstable/

The only difference in check-suppor-status.in between the proposed
update and bookworm is:

git diff HEAD bookworm -- check-support-status.in
diff --git a/check-support-status.in b/check-support-status.in
index 3ebf5e9..86b080a 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -13,7 +13,7 @@ VERSION='[% VERSION %]'
 # Oldest Debian version included in debian-security-support
 DEB_LOWEST_VER_ID=9
 # Version ID for next Debian stable
-DEB_NEXT_VER_ID=12
+DEB_NEXT_VER_ID=13

 if [ -z "$DEBIAN_VERSION" ] ; then
     DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)"

So the risk of regression is miminum.


Regarding the change of adding samba in the list of packages with
limited support. That doesn't represent any risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

From d/changelog:

  * Mark samba support limited to non-AD DC uses cases (Closes: #1053109)

    The explanation is found here: https://www.debian.org/security/2021/dsa-5015

  * Drop version-based check (Closes: #986581) and update test suite
    accordingly. Backport changes made by Sylvain Beucler.
  * Match ecosystems with limited support, test case updated. (Closes: #986333)
    Backport changes by Sylvain Beucler.

    These changes are reflected in check-support-status.in. The tests to
    check them are found in t/check-support-status. To fix the relevant
    bugs, the changes needed to remove a conditional to avoid comparing
    against an installed version. Check that is kind of obsolete, and
    didn't have any sense to compare against package name patters.
    Second, the changes included the fix to compare against a regex
    pattern, and avoid misidentifying packages whose name would match
    the non-optimal "golang*". And that is the reason for:

    * Use golang.* (as regex) instead of golang* in security-support-limited

[ Other info ]

N/A

Cheers,

 -- Santiago

diff -Nru debian-security-support-11+2023.05.04/check-support-status.in debian-security-support-11+2023.10.17/check-support-status.in
--- debian-security-support-11+2023.05.04/check-support-status.in	2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/check-support-status.in	2023-10-17 13:08:20.000000000 -0300
@@ -175,12 +175,11 @@
 
 # Create intersection
 LEFT="$TEMPDIR/left"
-RIGHT="$TEMPDIR/right"
 INTERSECTION_LIST="$TEMPDIR/intersection"
 [% AWK %] -F'\t' '{print $3}' "$INSTALLED_LIST" | LC_ALL=C sort -u >"$LEFT"
-grep -v '^#' "$LIST" | LC_ALL=C sort | [% AWK %] '{print $1}' >"$RIGHT"
+PATTERNS=$(grep -vP '^(#|$)' "$LIST" | [% AWK %] '{print $1}' | paste -sd'|')
 
-LC_ALL=C comm -12 "$LEFT" "$RIGHT" >"$INTERSECTION_LIST"
+LC_ALL=C grep -P -x -e "$PATTERNS" "$LEFT" >"$INTERSECTION_LIST" || true
 if [ ! -s "$INTERSECTION_LIST" ] ; then
     # nothing to do
     exit 0
@@ -190,9 +189,14 @@
 mkdir -p "$TD"
 
 cat "$INTERSECTION_LIST" | while read SRC_NAME ; do
+    LINE=$(grep -vP '^(#|$)' "$LIST" | while read pattern rest ; do
+            if echo $SRC_NAME | grep -q -P -x -e "$pattern" ; then
+                echo "$pattern $rest"
+                break
+            fi
+        done)
     IFS="$(printf '\nx')"
     IFS="${IFS%x}"
-    LINE="$([% AWK %] '($1=="'"$SRC_NAME"'"){print}' "$LIST" | head -1)"
     case "$TYPE" in
         earlyend)
             TMP_WHEN="$(echo "$LINE" | [% AWK %] '{print $3}')"
@@ -256,34 +260,28 @@
         esac
         # for earlyend and ended, check packages actually affected (if TMP_WHEN not null)
         if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then
-            if \
-                [ -z "$ALERT_VERSION" ] ||
-                [ "$BIN_VERSION" = "$ALERT_VERSION" ] ||
-                dpkg --compare-versions "$BIN_VERSION" '<=' "$ALERT_VERSION"
-            then
-                # need to alert, but check status db first
-                TOKEN="$BIN_NAME/$BIN_VERSION"
-                if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then
-                    if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then
-                        continue
-                    fi
+            # need to alert, but check status db first
+            TOKEN="$BIN_NAME/$BIN_VERSION"
+            if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then
+                if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then
+                    continue
+                fi
+            fi
+            echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin"
+            echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version"
+            echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when"
+            echo "$ALERT_WHY" >"$TD/$SRC_NAME.why"
+            if [ "$STATUSDB_FILE" ] ; then
+                # add to status db, remove any older entries
+                if [ -f "$STATUSDB_FILE" ]; then
+                    TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")"
+                    [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \
+                        <"$STATUSDB_FILE" >"$TEMPFILE"
+                    mv "$TEMPFILE" "$STATUSDB_FILE"
                 fi
-                echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin"
-                echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version"
-                echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when"
-                echo "$ALERT_WHY" >"$TD/$SRC_NAME.why"
-                if [ "$STATUSDB_FILE" ] ; then
-                    # add to status db, remove any older entries
-                    if [ -f "$STATUSDB_FILE" ]; then
-                        TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")"
-                        [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \
-                            <"$STATUSDB_FILE" >"$TEMPFILE"
-                        mv "$TEMPFILE" "$STATUSDB_FILE"
-                    fi
-                    echo "$TOKEN" >>"$STATUSDB_FILE"
-                fi  # maintain status db
-            fi # package BIN_NAME's version is not supported
-        fi
+                echo "$TOKEN" >>"$STATUSDB_FILE"
+            fi  # maintain status db
+        fi # package BIN_NAME's version is not supported
     done # read binary name and version for matching source name
 done # each source package from intersection
 
diff -Nru debian-security-support-11+2023.05.04/debian/changelog debian-security-support-11+2023.10.17/debian/changelog
--- debian-security-support-11+2023.05.04/debian/changelog	2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/debian/changelog	2023-10-17 13:08:20.000000000 -0300
@@ -1,3 +1,15 @@
+debian-security-support (1:11+2023.10.17) bullseye; urgency=medium
+
+  * Team upload.
+  * Mark samba support limited to non-AD DC uses cases (Closes: #1053109)
+  * Drop version-based check (Closes: #986581) and update test suite
+    accordingly. Backport changes made by Sylvain Beucler.
+  * Match ecosystems with limited support, test case updated. (Closes: #986333)
+    Backport changes by Sylvain Beucler.
+    * Use golang.* (as regex) instead of golang* in security-support-limited
+
+ -- Santiago Ruano Rincón <santiago@freexian.com>  Tue, 17 Oct 2023 13:08:20 -0300
+
 debian-security-support (1:11+2023.05.04) bullseye-updates; urgency=medium
 
   [ Holger Levsen ]
diff -Nru debian-security-support-11+2023.05.04/security-support-limited debian-security-support-11+2023.10.17/security-support-limited
--- debian-security-support-11+2023.05.04/security-support-limited	2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/security-support-limited	2023-10-17 13:08:20.000000000 -0300
@@ -11,7 +11,7 @@
 cython          Only included for building packages, not running them, #975058
 ganglia         See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
 ganglia-web     See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
-golang*		See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking
+golang.*		See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking
 gnupg1          See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
 kde4libs        khtml has no security support upstream, only for use on trusted content
 khtml           khtml has no security support upstream, only for use on trusted content, see #1004293
@@ -24,5 +24,6 @@
 qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit        No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content
+samba           Only non-AD Domain Controller use cases are supported. See https://lists.debian.org/debian-security-announce/2023/msg00169.html
 sql-ledger      Only supported behind an authenticated HTTP zone
 zoneminder      See README.Debian.security, only supported behind an authenticated HTTP zone, #922724
diff -Nru debian-security-support-11+2023.05.04/t/check-support-status.t debian-security-support-11+2023.10.17/t/check-support-status.t
--- debian-security-support-11+2023.05.04/t/check-support-status.t	2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/t/check-support-status.t	2023-10-17 13:08:20.000000000 -0300
@@ -208,6 +208,7 @@
 iceweasel       3.5.16-20       2013-05-01
 base-files      6.0squeeze9     2014-05-01  Some spaced  explanation
 debconf         1.5.36.0        2014-05-02
+node-.*         0               2020-02-20  https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
 openjdk-6       6b35-1.13.7-1~deb7u1    2031-05-23  No perpetual term support
 __EOS__
     write_file ($list_limited, <<__EOS__);
@@ -221,6 +222,9 @@
             [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
             [ 'ioi', 'php5', '5.3.3-7+squeeze19' ],
             [ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ],
+            [ 'ioi', 'supported-package', '1.0-1' ],
+            [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
+            [ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ],
         ],
     );
 
@@ -238,6 +242,16 @@
   Affected binary package:
   - base-files (installed version: 6.0squeeze9)
 
+* Source:debconf, ended on 2014-05-02 at version 1.5.36.0
+  Affected binary packages:
+  - debconf (installed version: 1.5.36.1)
+  - debconf-i18n (installed version: 1.5.36.1)
+
+* Source:node-marked, ended on 2020-02-20 at version 0
+  Details: https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
+  Affected binary package:
+  - libjs-marked (installed version: 0.3.2+dfsg-1)
+
 
 * Source:php5
   Details: See README.Debian.security for the PHP security policy
@@ -260,6 +274,9 @@
         my $got = read_file ($statusdb_file);
         my $expect = <<__EOS__;
 base-files/6.0squeeze9
+debconf/1.5.36.1
+debconf-i18n/1.5.36.1
+libjs-marked/0.3.2+dfsg-1
 php5/5.3.3-7+squeeze19
 openjdk-6-jre/6b35-1.13.7-1~deb7u1
 __EOS__
@@ -299,8 +316,8 @@
         $query_list,
         [
             [ 'ioi', 'base-files', '6.0squeeze9' ],
-            [ 'ioi', 'debconf', '1.5.36.1' ],
-            [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+            [ 'ioi', 'supported-package', '1.0-1' ],
+            [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
         ],
     );
 
@@ -543,8 +560,8 @@
         $query_list,
         [
             [ 'doc', 'base-files', '6.0squeeze9' ],
-            [ 'ioi', 'debconf', '1.5.36.1' ],
-            [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+            [ 'ioi', 'supported-package', '1.0-1' ],
+            [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
         ],
     );
 
@@ -586,8 +603,8 @@
         $query_list,
         [
             [ 'ioi', 'base-files', '6.0squeeze9' ],
-            [ 'ioi', 'debconf', '1.5.36.1' ],
-            [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+            [ 'ioi', 'supported-package', '1.0-1' ],
+            [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
         ],
     );
 
@@ -772,9 +789,9 @@
         $query_list,
         [
             [ 'ioi', 'base-files', '6.0squeeze9' ],
-            [ 'ioi', 'debconf', '1.5.36.1' ],
-            [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
             [ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ],
+            [ 'ioi', 'supported-package', '1.0-1' ],
+            [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
         ],
     );
 
@@ -834,8 +851,8 @@
     mock_query_list (
         $query_list,
         [
-            [ 'ioi', 'debconf', '1.5.36.1' ],
-            [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+            [ 'ioi', 'supported-package', '1.0-1' ],
+            [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
         ],
     );

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: