Your message dated Fri, 28 Oct 2016 20:11:48 +0000 with message-id <[email protected]> and subject line Bug#842276: fixed in nginx 1.6.2-5+deb8u4 has caused the Debian Bug report #842276, regarding nginx-common.config dpkg --compare-versions will mishandle return codes should the check fail to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 842276: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842276 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: nginx Severity: serious Version: 1.6.2-5+deb8u3 This was originally identified as a result of my own failure downstream in Ubuntu when applying the patches from Debian for CVE-2016-1247. One of the things added was nginx-common.config. In this, the following set of code exists: log_symlinks_check() { # Skip new installations [ -z "$1" ] && return # Skip unaffected installations dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return # Check for unsecure symlinks linked_logfiles="` find "$logdir" -type l -user www-data -name '*.log' `" # Skip if nothing is found [ -z "$linked_logfiles" ] && return db_subst nginx/log-symlinks logfiles $linked_logfiles db_input high nginx/log-symlinks || true db_go || true } This line will break all future version upgrades: dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return What happens here is, say that the package is updated, and we have +deb8u4 then. Let's examine the error code we get from this: teward@debian:~$ dpkg --compare-versions 1.6.2-5+deb8u4 lt-nl 1.6.2-5+deb8u3; echo $? 1 This error code is caught by `dpkg` and will ultimately die off with a failure code, like this (NOTE: +deb8u4 was a 'fake' package created by me from the nginx source code that has no changes between +deb8u3, it was just used to test the version bump issue): teward@debian:~$ sudo dpkg -i ./nginx-common_1.6.2-5+deb8u4_all.deb (Reading database ... 29849 files and directories currently installed.) Preparing to unpack .../nginx-common_1.6.2-5+deb8u4_all.deb ... Unpacking nginx-common (1.6.2-5+deb8u4) over (1.6.2-5+deb8u3) ... Setting up nginx-common (1.6.2-5+deb8u4) ... dpkg: error processing package nginx-common (--install): subprocess installed post-installation script returned error exit status 1 Processing triggers for systemd (215-17+deb8u5) ... Processing triggers for man-db (2.7.0.2-5) ... Errors were encountered while processing: nginx-common This prevents clean package updates. The fix implemented downstream, considered a Security Regression update in Ubuntu, was to change the line referenced above to the following: dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return 0 This will force an "OK" status code when the version check fails, and permit updating. Please update this ASAP, *long before* we have to deal with this as a core problem in the package. ------ Thomas
--- End Message ---
--- Begin Message ---Source: nginx Source-Version: 1.6.2-5+deb8u4 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Oct 2016 20:22:42 +0200 Source: nginx Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg Architecture: all source Version: 1.6.2-5+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Kartik Mistry <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 842276 Description: nginx - small, powerful, scalable web/proxy server nginx-common - small, powerful, scalable web/proxy server - common files nginx-doc - small, powerful, scalable web/proxy server - documentation nginx-extras - nginx web/proxy server (extended version) nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols nginx-full - nginx web/proxy server (standard version) nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols nginx-light - nginx web/proxy server (basic version) nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols Changes: nginx (1.6.2-5+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/nginx-common.config: fix return code so script doesn't exit. Thanks to Marc Deslauriers and Thomas Ward (Closes: #842276) Checksums-Sha1: 463ec59d8c9e45f8229cf88b71fb36ff7b36d949 3091 nginx_1.6.2-5+deb8u4.dsc 7f1f64beb538c7c7b84e3f631315640e30a4c511 611216 nginx_1.6.2-5+deb8u4.debian.tar.xz 207d5faa60c16a298feac6525bc936c8fd938ed2 72596 nginx_1.6.2-5+deb8u4_all.deb a50f9cc253e5b699605e4e9953cfdfe262c8f4ae 84096 nginx-doc_1.6.2-5+deb8u4_all.deb 4a0c381ba3ec510c5112af3873f06c19c8cf11b7 88058 nginx-common_1.6.2-5+deb8u4_all.deb Checksums-Sha256: 14a323895d9fab5faf443957a13f8345c72cbeb023e9aef6dccac73331abf3ed 3091 nginx_1.6.2-5+deb8u4.dsc 5d56e3dadb385d7d63b18378cbc70e94109284a9ac310004f6cd3b7d6a85dbcf 611216 nginx_1.6.2-5+deb8u4.debian.tar.xz 86e65be6bfd63acbbe1fb709b54d1c3b5469e7b51f1fbf722d7f4a416561acda 72596 nginx_1.6.2-5+deb8u4_all.deb edbe85117a443f3538a33a01782f6a1d79a02053bdc73a8bb8416a34a34ff650 84096 nginx-doc_1.6.2-5+deb8u4_all.deb 056df0a0157eddf3f95d8764b6ffabbd423f3d75edc9e82ae3187b8104efb0e5 88058 nginx-common_1.6.2-5+deb8u4_all.deb Files: b5b226318cc0a03d6d561229fb37ab28 3091 httpd optional nginx_1.6.2-5+deb8u4.dsc 419f1c183ea04817ddfe2a034656c133 611216 httpd optional nginx_1.6.2-5+deb8u4.debian.tar.xz 15ee34d7cbf04e4bc524576467416334 72596 httpd optional nginx_1.6.2-5+deb8u4_all.deb 44fbb705f85d3c2f7ea958e5e71ebe8e 84096 doc optional nginx-doc_1.6.2-5+deb8u4_all.deb 82c0e448ee8689bc5d5b8341c7749f8d 88058 httpd optional nginx-common_1.6.2-5+deb8u4_all.deb -----BEGIN PGP SIGNATURE----- iQKPBAEBCgB5BQJYEkjSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRPjd D/0RETceaowbPpEeOo73A8GaBcaU7RW+DkUlxhoM4lo2dyZIQH7G1RuIM0VYeqRr 8kg7HLx+5K1apELuC2ii7oFKBWvAZFxYtD9bu6nqBHCCcwpZLtw4EZmEZpmN+c3m vLT15wrboBLPfUCSDquf/kz2zzZGurXeLoPmqyl1P4MPJ/tOVwfnL3hzzqa2IaGJ W7gUcTHJcPYGHQrPuEWktwMJc5T2xLdEPSByxxGrFfCKKUwj+AALiXVGQ2PsMgSD VD0B33DyhNK2trEghrs4k2VMZl5WuZRzz5XrFbO925VkPvkoZDlPbpvHAvitGr+6 aVHX4oHxhd4SM05TFRAELcL5uOP90d1MfbfDohYzdWROkvzA3msShfAmrfTvBi95 EASR9C0HP/KP+lFGxN4lPT9Pd6EDpaQLzdz+hi64WOhBUbVU+0JMXv1DFEYn0aBR KhJlw0rEvXQi3uHXT7SKvZBWvSCUnbAS5Tdp6/4K1XIZn+bP+6U6ycCpUbzJl8R1 nQm/xUaI8oxG5x8AzoH9iFndqezUTc8azDPOGGsk7yp8srFTAoT8tB/eu3bIl7AR W2CLcCMmvNTdZEpqrehYVZivp7a4um4JIDue4kcXKOxrp/4qiHINqDNlOqxZwCtd cnDh2E2SqYGVMRmg7Gg33968nCeyp3RM0ATj7KtKE9d0NQ== =Cdwz -----END PGP SIGNATURE-----
--- End Message ---
