Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: debian-security-supp...@packages.debian.org Control: affects -1 + src:debian-security-support
Dear release team, [ Reason ] The reasons for this proposed update are: * Fix two bugs already solved in bookworm (#986581 and #986333) * Include samba in the list of packages with limited support (#1053109). Currently, because of #986581 and #986333, d-d-s's check-support-status silently ignores "golang*" packages, so users don't get any warning about their limited support status. [ Impact ] Bullseye users will continue to don't get any warning about the limited support regarding the golang.* packages installed in their systems. As for the samba-related change, without the upload, users will lose a change to get informed about its security support situation. [ Tests ] The changes include tests to verify #986581 and #986333 have been fixed. I have also manually verified on a bullseye container how the current and the proposed packages behave, and I can confirm the issues are fixed, and I didn't identify any regression. [ Risks ] The relevant code has been included in bookworm since its release. They were fully included in 1:12+2021.09.30: https://tracker.debian.org/news/1263114/accepted-debian-security-support-11220210930-source-into-unstable/ The only difference in check-suppor-status.in between the proposed update and bookworm is: git diff HEAD bookworm -- check-support-status.in diff --git a/check-support-status.in b/check-support-status.in index 3ebf5e9..86b080a 100755 --- a/check-support-status.in +++ b/check-support-status.in @@ -13,7 +13,7 @@ VERSION='[% VERSION %]' # Oldest Debian version included in debian-security-support DEB_LOWEST_VER_ID=9 # Version ID for next Debian stable -DEB_NEXT_VER_ID=12 +DEB_NEXT_VER_ID=13 if [ -z "$DEBIAN_VERSION" ] ; then DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)" So the risk of regression is miminum. Regarding the change of adding samba in the list of packages with limited support. That doesn't represent any risk. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] From d/changelog: * Mark samba support limited to non-AD DC uses cases (Closes: #1053109) The explanation is found here: https://www.debian.org/security/2021/dsa-5015 * Drop version-based check (Closes: #986581) and update test suite accordingly. Backport changes made by Sylvain Beucler. * Match ecosystems with limited support, test case updated. (Closes: #986333) Backport changes by Sylvain Beucler. These changes are reflected in check-support-status.in. The tests to check them are found in t/check-support-status. To fix the relevant bugs, the changes needed to remove a conditional to avoid comparing against an installed version. Check that is kind of obsolete, and didn't have any sense to compare against package name patters. Second, the changes included the fix to compare against a regex pattern, and avoid misidentifying packages whose name would match the non-optimal "golang*". And that is the reason for: * Use golang.* (as regex) instead of golang* in security-support-limited [ Other info ] N/A Cheers, -- Santiago
diff -Nru debian-security-support-11+2023.05.04/check-support-status.in debian-security-support-11+2023.10.17/check-support-status.in --- debian-security-support-11+2023.05.04/check-support-status.in 2023-05-04 14:27:19.000000000 -0300 +++ debian-security-support-11+2023.10.17/check-support-status.in 2023-10-17 13:08:20.000000000 -0300 @@ -175,12 +175,11 @@ # Create intersection LEFT="$TEMPDIR/left" -RIGHT="$TEMPDIR/right" INTERSECTION_LIST="$TEMPDIR/intersection" [% AWK %] -F'\t' '{print $3}' "$INSTALLED_LIST" | LC_ALL=C sort -u >"$LEFT" -grep -v '^#' "$LIST" | LC_ALL=C sort | [% AWK %] '{print $1}' >"$RIGHT" +PATTERNS=$(grep -vP '^(#|$)' "$LIST" | [% AWK %] '{print $1}' | paste -sd'|') -LC_ALL=C comm -12 "$LEFT" "$RIGHT" >"$INTERSECTION_LIST" +LC_ALL=C grep -P -x -e "$PATTERNS" "$LEFT" >"$INTERSECTION_LIST" || true if [ ! -s "$INTERSECTION_LIST" ] ; then # nothing to do exit 0 @@ -190,9 +189,14 @@ mkdir -p "$TD" cat "$INTERSECTION_LIST" | while read SRC_NAME ; do + LINE=$(grep -vP '^(#|$)' "$LIST" | while read pattern rest ; do + if echo $SRC_NAME | grep -q -P -x -e "$pattern" ; then + echo "$pattern $rest" + break + fi + done) IFS="$(printf '\nx')" IFS="${IFS%x}" - LINE="$([% AWK %] '($1=="'"$SRC_NAME"'"){print}' "$LIST" | head -1)" case "$TYPE" in earlyend) TMP_WHEN="$(echo "$LINE" | [% AWK %] '{print $3}')" @@ -256,34 +260,28 @@ esac # for earlyend and ended, check packages actually affected (if TMP_WHEN not null) if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then - if \ - [ -z "$ALERT_VERSION" ] || - [ "$BIN_VERSION" = "$ALERT_VERSION" ] || - dpkg --compare-versions "$BIN_VERSION" '<=' "$ALERT_VERSION" - then - # need to alert, but check status db first - TOKEN="$BIN_NAME/$BIN_VERSION" - if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then - if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then - continue - fi + # need to alert, but check status db first + TOKEN="$BIN_NAME/$BIN_VERSION" + if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then + if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then + continue + fi + fi + echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin" + echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version" + echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when" + echo "$ALERT_WHY" >"$TD/$SRC_NAME.why" + if [ "$STATUSDB_FILE" ] ; then + # add to status db, remove any older entries + if [ -f "$STATUSDB_FILE" ]; then + TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")" + [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \ + <"$STATUSDB_FILE" >"$TEMPFILE" + mv "$TEMPFILE" "$STATUSDB_FILE" fi - echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin" - echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version" - echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when" - echo "$ALERT_WHY" >"$TD/$SRC_NAME.why" - if [ "$STATUSDB_FILE" ] ; then - # add to status db, remove any older entries - if [ -f "$STATUSDB_FILE" ]; then - TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")" - [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \ - <"$STATUSDB_FILE" >"$TEMPFILE" - mv "$TEMPFILE" "$STATUSDB_FILE" - fi - echo "$TOKEN" >>"$STATUSDB_FILE" - fi # maintain status db - fi # package BIN_NAME's version is not supported - fi + echo "$TOKEN" >>"$STATUSDB_FILE" + fi # maintain status db + fi # package BIN_NAME's version is not supported done # read binary name and version for matching source name done # each source package from intersection diff -Nru debian-security-support-11+2023.05.04/debian/changelog debian-security-support-11+2023.10.17/debian/changelog --- debian-security-support-11+2023.05.04/debian/changelog 2023-05-04 14:27:19.000000000 -0300 +++ debian-security-support-11+2023.10.17/debian/changelog 2023-10-17 13:08:20.000000000 -0300 @@ -1,3 +1,15 @@ +debian-security-support (1:11+2023.10.17) bullseye; urgency=medium + + * Team upload. + * Mark samba support limited to non-AD DC uses cases (Closes: #1053109) + * Drop version-based check (Closes: #986581) and update test suite + accordingly. Backport changes made by Sylvain Beucler. + * Match ecosystems with limited support, test case updated. (Closes: #986333) + Backport changes by Sylvain Beucler. + * Use golang.* (as regex) instead of golang* in security-support-limited + + -- Santiago Ruano Rincón <santi...@freexian.com> Tue, 17 Oct 2023 13:08:20 -0300 + debian-security-support (1:11+2023.05.04) bullseye-updates; urgency=medium [ Holger Levsen ] diff -Nru debian-security-support-11+2023.05.04/security-support-limited debian-security-support-11+2023.10.17/security-support-limited --- debian-security-support-11+2023.05.04/security-support-limited 2023-05-04 14:27:19.000000000 -0300 +++ debian-security-support-11+2023.10.17/security-support-limited 2023-10-17 13:08:20.000000000 -0300 @@ -11,7 +11,7 @@ cython Only included for building packages, not running them, #975058 ganglia See README.Debian.security, only supported behind an authenticated HTTP zone, #702775 ganglia-web See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 -golang* See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking +golang.* See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking gnupg1 See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg kde4libs khtml has no security support upstream, only for use on trusted content khtml khtml has no security support upstream, only for use on trusted content, see #1004293 @@ -24,5 +24,6 @@ qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content qtwebkit No security support upstream and backports not feasible, only for use on trusted content qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content +samba Only non-AD Domain Controller use cases are supported. See https://lists.debian.org/debian-security-announce/2023/msg00169.html sql-ledger Only supported behind an authenticated HTTP zone zoneminder See README.Debian.security, only supported behind an authenticated HTTP zone, #922724 diff -Nru debian-security-support-11+2023.05.04/t/check-support-status.t debian-security-support-11+2023.10.17/t/check-support-status.t --- debian-security-support-11+2023.05.04/t/check-support-status.t 2023-05-04 14:27:19.000000000 -0300 +++ debian-security-support-11+2023.10.17/t/check-support-status.t 2023-10-17 13:08:20.000000000 -0300 @@ -208,6 +208,7 @@ iceweasel 3.5.16-20 2013-05-01 base-files 6.0squeeze9 2014-05-01 Some spaced explanation debconf 1.5.36.0 2014-05-02 +node-.* 0 2020-02-20 https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8 openjdk-6 6b35-1.13.7-1~deb7u1 2031-05-23 No perpetual term support __EOS__ write_file ($list_limited, <<__EOS__); @@ -221,6 +222,9 @@ [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], [ 'ioi', 'php5', '5.3.3-7+squeeze19' ], [ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], + [ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ], ], ); @@ -238,6 +242,16 @@ Affected binary package: - base-files (installed version: 6.0squeeze9) +* Source:debconf, ended on 2014-05-02 at version 1.5.36.0 + Affected binary packages: + - debconf (installed version: 1.5.36.1) + - debconf-i18n (installed version: 1.5.36.1) + +* Source:node-marked, ended on 2020-02-20 at version 0 + Details: https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8 + Affected binary package: + - libjs-marked (installed version: 0.3.2+dfsg-1) + * Source:php5 Details: See README.Debian.security for the PHP security policy @@ -260,6 +274,9 @@ my $got = read_file ($statusdb_file); my $expect = <<__EOS__; base-files/6.0squeeze9 +debconf/1.5.36.1 +debconf-i18n/1.5.36.1 +libjs-marked/0.3.2+dfsg-1 php5/5.3.3-7+squeeze19 openjdk-6-jre/6b35-1.13.7-1~deb7u1 __EOS__ @@ -299,8 +316,8 @@ $query_list, [ [ 'ioi', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -543,8 +560,8 @@ $query_list, [ [ 'doc', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -586,8 +603,8 @@ $query_list, [ [ 'ioi', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -772,9 +789,9 @@ $query_list, [ [ 'ioi', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], [ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -834,8 +851,8 @@ mock_query_list ( $query_list, [ - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], );
signature.asc
Description: PGP signature