Bug#970349: marked as done (buster-pu: package icinga2/2.10.3-2+deb10u1)

Debian Bug Tracking System Sat, 26 Sep 2020 03:43:43 -0700

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id 
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970349,
regarding buster-pu: package icinga2/2.10.3-2+deb10u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
970349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970349
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

icinga2 is buster is affected by CVE-2020-14004 as reported in #970252.

As it was deemed no-dsa it should be fixed via stable update.

Kind Regards,

Bas

diff -Nru icinga2-2.10.3/debian/changelog icinga2-2.10.3/debian/changelog
--- icinga2-2.10.3/debian/changelog     2019-03-01 12:18:30.000000000 +0100
+++ icinga2-2.10.3/debian/changelog     2020-09-14 06:47:22.000000000 +0200
@@ -1,3 +1,12 @@
+icinga2 (2.10.3-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Update branch in gbp.conf & Vcs-Git URL.
+  * Add upstream patch to fix CVE-2020-14004.
+    (closes: #970252)
+
+ -- Bas Couwenberg <sebas...@debian.org>  Mon, 14 Sep 2020 06:47:22 +0200
+
 icinga2 (2.10.3-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru icinga2-2.10.3/debian/control icinga2-2.10.3/debian/control
--- icinga2-2.10.3/debian/control       2018-12-25 23:27:26.000000000 +0100
+++ icinga2-2.10.3/debian/control       2020-09-14 06:47:22.000000000 +0200
@@ -29,7 +29,7 @@
                po-debconf
 Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-icinga2
-Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git
+Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git -b buster
 Homepage: https://icinga.com
 
 Package: icinga2
diff -Nru icinga2-2.10.3/debian/gbp.conf icinga2-2.10.3/debian/gbp.conf
--- icinga2-2.10.3/debian/gbp.conf      2018-12-12 08:10:41.000000000 +0100
+++ icinga2-2.10.3/debian/gbp.conf      2020-09-14 06:47:22.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = buster
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru 
icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch 
icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch
--- 
icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch   
    1970-01-01 01:00:00.000000000 +0100
+++ 
icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch   
    2020-09-14 06:47:22.000000000 +0200
@@ -0,0 +1,23 @@
+Description: prepare-dirs: combine mkdir and chmod
+ Fixes CVE-2020-14004
+Author: "Alexander A. Klimov" <alexander.kli...@icinga.com>
+Origin: 
https://github.com/Icinga/icinga2/commit/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6
+Bug: https://github.com/Icinga/icinga2/pull/8046
+
+--- a/etc/initsystem/prepare-dirs.cmake
++++ b/etc/initsystem/prepare-dirs.cmake
+@@ -26,12 +26,10 @@ getent group $ICINGA2_GROUP >/dev/null 2
+ getent group $ICINGA2_COMMAND_GROUP >/dev/null 2>&1 || (echo "Icinga command 
group '$ICINGA2_COMMAND_GROUP' does not exist. Exiting." && exit 6)
+ 
+ if [ ! -e "$ICINGA2_INIT_RUN_DIR" ]; then
+-      mkdir "$ICINGA2_INIT_RUN_DIR"
+-      mkdir "$ICINGA2_INIT_RUN_DIR"/cmd
++      mkdir -m 755 "$ICINGA2_INIT_RUN_DIR"
++      mkdir -m 2750 "$ICINGA2_INIT_RUN_DIR"/cmd
+ fi
+ 
+-chmod 755 "$ICINGA2_INIT_RUN_DIR"
+-chmod 2750 "$ICINGA2_INIT_RUN_DIR"/cmd
+ chown -R $ICINGA2_USER:$ICINGA2_COMMAND_GROUP "$ICINGA2_INIT_RUN_DIR"
+ 
+ test -e "$ICINGA2_LOG_DIR" || install -m 750 -o $ICINGA2_USER -g 
$ICINGA2_COMMAND_GROUP -d "$ICINGA2_LOG_DIR"
diff -Nru icinga2-2.10.3/debian/patches/series 
icinga2-2.10.3/debian/patches/series
--- icinga2-2.10.3/debian/patches/series        2019-03-01 12:17:29.000000000 
+0100
+++ icinga2-2.10.3/debian/patches/series        2020-09-14 06:47:22.000000000 
+0200
@@ -1,3 +1,4 @@
 21_config_changes
 postgres-checkcommand.patch
 comparepasswords_issafe.patch
+0001-prepare-dirs-combine-mkdir-and-chmod.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#970349: marked as done (buster-pu: package icinga2/2.10.3-2+deb10u1)

Reply via email to