Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
icinga2 is buster is affected by CVE-2020-14004 as reported in #970252. As it was deemed no-dsa it should be fixed via stable update. Kind Regards, Bas
diff -Nru icinga2-2.10.3/debian/changelog icinga2-2.10.3/debian/changelog --- icinga2-2.10.3/debian/changelog 2019-03-01 12:18:30.000000000 +0100 +++ icinga2-2.10.3/debian/changelog 2020-09-14 06:47:22.000000000 +0200 @@ -1,3 +1,12 @@ +icinga2 (2.10.3-2+deb10u1) buster; urgency=medium + + * Team upload. + * Update branch in gbp.conf & Vcs-Git URL. + * Add upstream patch to fix CVE-2020-14004. + (closes: #970252) + + -- Bas Couwenberg <sebas...@debian.org> Mon, 14 Sep 2020 06:47:22 +0200 + icinga2 (2.10.3-2) unstable; urgency=medium * Team upload. diff -Nru icinga2-2.10.3/debian/control icinga2-2.10.3/debian/control --- icinga2-2.10.3/debian/control 2018-12-25 23:27:26.000000000 +0100 +++ icinga2-2.10.3/debian/control 2020-09-14 06:47:22.000000000 +0200 @@ -29,7 +29,7 @@ po-debconf Standards-Version: 4.3.0 Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-icinga2 -Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git +Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git -b buster Homepage: https://icinga.com Package: icinga2 diff -Nru icinga2-2.10.3/debian/gbp.conf icinga2-2.10.3/debian/gbp.conf --- icinga2-2.10.3/debian/gbp.conf 2018-12-12 08:10:41.000000000 +0100 +++ icinga2-2.10.3/debian/gbp.conf 2020-09-14 06:47:22.000000000 +0200 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = buster # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch --- icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch 1970-01-01 01:00:00.000000000 +0100 +++ icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch 2020-09-14 06:47:22.000000000 +0200 @@ -0,0 +1,23 @@ +Description: prepare-dirs: combine mkdir and chmod + Fixes CVE-2020-14004 +Author: "Alexander A. Klimov" <alexander.kli...@icinga.com> +Origin: https://github.com/Icinga/icinga2/commit/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6 +Bug: https://github.com/Icinga/icinga2/pull/8046 + +--- a/etc/initsystem/prepare-dirs.cmake ++++ b/etc/initsystem/prepare-dirs.cmake +@@ -26,12 +26,10 @@ getent group $ICINGA2_GROUP >/dev/null 2 + getent group $ICINGA2_COMMAND_GROUP >/dev/null 2>&1 || (echo "Icinga command group '$ICINGA2_COMMAND_GROUP' does not exist. Exiting." && exit 6) + + if [ ! -e "$ICINGA2_INIT_RUN_DIR" ]; then +- mkdir "$ICINGA2_INIT_RUN_DIR" +- mkdir "$ICINGA2_INIT_RUN_DIR"/cmd ++ mkdir -m 755 "$ICINGA2_INIT_RUN_DIR" ++ mkdir -m 2750 "$ICINGA2_INIT_RUN_DIR"/cmd + fi + +-chmod 755 "$ICINGA2_INIT_RUN_DIR" +-chmod 2750 "$ICINGA2_INIT_RUN_DIR"/cmd + chown -R $ICINGA2_USER:$ICINGA2_COMMAND_GROUP "$ICINGA2_INIT_RUN_DIR" + + test -e "$ICINGA2_LOG_DIR" || install -m 750 -o $ICINGA2_USER -g $ICINGA2_COMMAND_GROUP -d "$ICINGA2_LOG_DIR" diff -Nru icinga2-2.10.3/debian/patches/series icinga2-2.10.3/debian/patches/series --- icinga2-2.10.3/debian/patches/series 2019-03-01 12:17:29.000000000 +0100 +++ icinga2-2.10.3/debian/patches/series 2020-09-14 06:47:22.000000000 +0200 @@ -1,3 +1,4 @@ 21_config_changes postgres-checkcommand.patch comparepasswords_issafe.patch +0001-prepare-dirs-combine-mkdir-and-chmod.patch