Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: crowdsec-firewall-boun...@packages.debian.org
Control: affects -1 + src:crowdsec-firewall-bouncer
Hi,
[ Reason ]
I'd like to fix the #1071247/#1071248 pair in bookworm, which results in
crowdsec-firewall-bouncer's being broken on little-endian architectures
(addresses are getting logged just fine, but they're not passed over
correctly to the firewall layer).
I've checked with the security team, this doesn't warrant a DSA.
This is the daemon part (crowdsec-firewall-bouncer).
[ Impact ]
If the fix doesn't make it into stable, crowdsec-firewall-bouncer
remains broken on little-endian architectures.
[ Tests ]
Same checks as for unstable when I uploaded the fixes there:
- amd64 (LE, baremetal) before: KO
- amd64 (LE, baremetal) after: OK
- s390x (BE, debvm) before: OK
- s390x (BE, debvm) after: OK
[ Risks ]
Except for a possible regression on s390x (which isn't the case, see
previous section), it cannot be worse than it currently is.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
Additionally, that reached testing.
[ Changes ]
Since there were already binNMUs for this package in p-u, with different
versions, I decided to err on the side of caution, and to propose a new
revision with a versioned build-dep on golang-github-google-nftables's
binary package; alternatively this package could be binNMU'd within p-u
once golang-github-google-nftables is available in p-u.
[ Other info ]
Previous bug report is the golang-github-google-nftables part.
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru crowdsec-firewall-bouncer-0.0.25/debian/changelog
crowdsec-firewall-bouncer-0.0.25/debian/changelog
--- crowdsec-firewall-bouncer-0.0.25/debian/changelog 2023-05-31
18:57:41.000000000 +0200
+++ crowdsec-firewall-bouncer-0.0.25/debian/changelog 2024-06-11
10:20:58.000000000 +0200
@@ -1,3 +1,18 @@
+crowdsec-firewall-bouncer (0.0.25-4~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for bookworm.
+
+ -- Cyril Brulebois <cy...@debamax.com> Tue, 11 Jun 2024 10:20:58 +0200
+
+crowdsec-firewall-bouncer (0.0.25-4) unstable; urgency=high
+
+ * Set minimal version for the golang-github-google-nftables-dev build
+ dependency to ensure a working AddSet() function, i.e. no longer
+ reversing byte order for IPv4 and IPv6 addresses at the nftables level
+ on little-endian architectures (Closes: #1071248, See: #1071247).
+
+ -- Cyril Brulebois <cy...@debamax.com> Tue, 21 May 2024 10:15:36 +0200
+
crowdsec-firewall-bouncer (0.0.25-3) unstable; urgency=medium
* Fix failure to install if crowdsec is unpacked but not configured
diff -Nru crowdsec-firewall-bouncer-0.0.25/debian/control
crowdsec-firewall-bouncer-0.0.25/debian/control
--- crowdsec-firewall-bouncer-0.0.25/debian/control 2023-03-21
01:03:29.000000000 +0100
+++ crowdsec-firewall-bouncer-0.0.25/debian/control 2024-05-21
09:53:53.000000000 +0200
@@ -10,7 +10,7 @@
golang-github-coreos-go-systemd-dev,
golang-github-crowdsecurity-crowdsec-dev,
golang-github-crowdsecurity-go-cs-bouncer-dev,
- golang-github-google-nftables-dev,
+ golang-github-google-nftables-dev (>= 0.1.0-4~),
golang-golang-x-sys-dev,
golang-gopkg-natefinch-lumberjack.v2-dev,
golang-gopkg-tomb.v2-dev,
