Bug#1081035: bookworm-pu: package fcgiwrap/1.1.0-14+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1081035: bookworm-pu: package fcgiwrap/1.1.0-14+deb12u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 07 Sep 2024 12:17:52 +0200
Message-id: <[🔎] 172570427205.1732236.14523734960163466657.reportbug@elende.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1081035@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: fcgiwrap@packages.debian.org, team@security.debian.org, Jonathan Nieder <jrnieder@gmail.com>, Jordi Mallach <jordi@debian.org>, carnil@debian.org
Control: affects -1 + src:fcgiwrap
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

We (security-team) plan to release an update of git fixing several
CVEs, prepared by Jonathan Nieder and rebasing git version to 2.39.5
upstream, which uncovered regressions in both fcgiwrap (#1072394) and
ikiwiki-hosting (cf. #1076751).

They were triggered as well in autopkgtests with the prepared
git/1:2.39.5-0+deb12u1 version.

We discussed this, if we should release the update for ikiwiki-hosting
(real impact) and fcgiwrap (only autopkgtests) via a corresponding
update or a proposed-update is enough. We prpoose the later, and let
it go through the upcoming point release.

Attached ist the proposed debdiff for fcgiwrap.

I have not yet uploaded the package, but CC'ing Jordi.

Regards,
Salvatore

diff -Nru fcgiwrap-1.1.0/debian/changelog fcgiwrap-1.1.0/debian/changelog
--- fcgiwrap-1.1.0/debian/changelog	2022-12-17 18:23:54.000000000 +0100
+++ fcgiwrap-1.1.0/debian/changelog	2024-09-07 11:31:30.000000000 +0200
@@ -1,3 +1,13 @@
+fcgiwrap (1.1.0-14+deb12u1) bookworm; urgency=medium
+
+  [ Mitchell Dzurick ]
+  * d/t/git-http-backend: make www-data own $AUTOPKGTEST_TMP/test1/.git
+    git introduced more aggressive security checking, so the dep8 test needs
+    to explicitly change ownership of the new git directory.
+    (LP: #2067942, Closes: #1072394)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 07 Sep 2024 11:31:30 +0200
+
 fcgiwrap (1.1.0-14) unstable; urgency=medium
 
   * Brown paper bag release.
diff -Nru fcgiwrap-1.1.0/debian/tests/git-http-backend fcgiwrap-1.1.0/debian/tests/git-http-backend
--- fcgiwrap-1.1.0/debian/tests/git-http-backend	2022-11-21 18:05:05.000000000 +0100
+++ fcgiwrap-1.1.0/debian/tests/git-http-backend	2024-09-07 11:30:46.000000000 +0200
@@ -12,6 +12,7 @@
 
 git init test1
 git -C test1 commit --allow-empty -m test
+chown -R www-data:www-data "$AUTOPKGTEST_TMP"/test1/.git
 
 tee /etc/nginx/sites-available/default <<EOF
 server {

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package fcgiwrap/1.1.0-14+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1081035: fcgiwrap 1.1.0-14+deb12u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Processed: bookworm-pu: package fcgiwrap/1.1.0-14+deb12u1
Next by Date: Bug#1081044: transition: nauty 2.8.9
Previous by thread: Bug#1081034: Info received (Bug#1081034: bookworm-pu: package ikiwiki-hosting/0.20220716-2+deb12u1)
Next by thread: Processed: bookworm-pu: package fcgiwrap/1.1.0-14+deb12u1
Index(es):
- Date
- Thread