On Sat, 26 Apr 2025 at 21:54, Arnout Vandecappelle wrote:
> On 12/04/2025 10:07, Russell Coker wrote:
> > Here are the results of running valgrind with a debugging build of every
> > relevant package installed:
> >
> > ==241689== Invalid read of size 8
> > ==241689==at 0x53A92E: UnknownInlined
4) unstable; urgency=medium
.
* d/rules: skip valgrind test due to #1100805 (Closes: #1103370)
Regards,
--
Christian Göttsche
I am currently running the following hardening settings:
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelT
yright: refer to URL instead of postal address in GPL license
Regards,
--
Christian Göttsche
Changes since the last upload:
selint (1.5.1-3) unstable; urgency=medium
.
* d/patches: dump valgrind output on test failure
Regards,
--
Christian Göttsche
er changes)
Regards,
--
Christian Göttsche
> P.S. You may wish to disable DH_VERBOSE to save a little buildd time when
> doing
> releases.
Thanks again for taking a look.
DH_VERBOSE was disabled because I forgot to actually export it.
Also computing the PHP version only once in the latest mentors upload.
diff --git a/debian/rules b/deb
/bootstrap.min.css
/usr/share/rspamd/www/js/lib/bootstrap.bundle.min.js
/usr/share/rspamd/www/js/lib/jquery.min.js
/usr/share/rspamd/www/js/lib/require.min.js
Best regards,
Christian Göttsche
Control: tags -1 -moreinfo
> Test 3 (build twice): Information only
> ...
> E: Failed autobuilding of package
Thanks for your review Phil.
I somehow overlooked the build twice failure in the salsa pipeline.
Now fixed in the lates mentors upload via
https://salsa.debian.org/cgzones/snuffleupagus/
> Sponsored. Please provide me with your salsa user name so I can add you
> to the git members.
Thanks for sponsoring.
My salsa handle is "cgzones", see
https://salsa.debian.org/cgzones/libapache-mod-evasive.
Package: dhcpcd-base
Severity: important
Dear Maintainer,
when running dhcpcd with a custom allocator, such as hardened_malloc
or valogrind, it crashes with SIGSYS.
Backtrace on usage with hardened_malloc:
###
Program terminated with signal SIGSYS, Bad system call.
Download failed: Invalid
> With my very limited knowledge of selinux, I don't follow.
> Why it would need DAC_READ_SEARCH? If you can provide an example, it
> would be great.
postfix services like smtp, smtpd, postfix-master and tlsproxy need
access to `/var/spool/postfix/private/proxymap` and the parent
directory `/var/
the initial release:
snuffleupagus (0.11.0-1) unstable; urgency=medium
.
* Initial Release. (Closes: #894821)
Regards,
--
Christian Göttsche
control: owner -1 !
,
Christian Göttsche
Hi Federico,
are you still interested in packaging snuffleupagus, since you
declared ownership of #894821 four years ago?
Otherwise I'd like to work on this package, I also created a packaging
over at https://salsa.debian.org/cgzones/snuffleupagus.
Kind regards,
Christian Göttsche
Source: libselinux
Version: 3.8-4
Severity: important
Dear Maintainer,
upstream tagged a new release containing a performance regression fix,
affecting semodule.
Please consider packaging the new version 3.8.1.
Kind regards,
Christian Göttsche
. SELinux policies where the different postfix
processes run in different domains and by not granting
CAP_DAC_READ_SEARCH they now fall back and require CAP_DAC_OVERRIDE.
So please also permit CAP_DAC_READ_SEARCH in the service file.
Kind regards,
Christian Göttsche
drop patches applied upstream
* d/control: bump to std version 4.7.2 (no further changes)
Regards,
--
Christian Göttsche
control: severity -1 normal
Kindly ping
,
Christian Göttsche
le, and drop version postfix
* d/evasive.conf: fix typo corrected also upstream (Closes: #833448)
* d/s/lintian-overrides: ignore long license line
* d/salsa-ci.yml: add basic CI configuration
Regards,
--
Christian Göttsche
control: retitle -1 ITA: libapache-mod-evasive -- evasive module to
minimize HTTP DoS or brute force attacks
I intend to adopt the package libapache-mod-evasive.
See packaging at https://salsa.debian.org/cgzones/libapache-mod-evasive
On Wed, 19 Feb 2025 at 14:12, Jeroen Ploemen wrote:
>
> Uploaded, thanks.
>
> A few minor things that didn't put enough weight on the scale to be a
> blocker for today's upload, but would be a good idea to fix as part
> of a future update:
> * control: weird line wrapping in the last paragraph of
able; urgency=medium
.
* New upstream version 1.5.1
.
* d/copyright:
- drop comment line
- bump years
* d/control: drop outdated versioned dependency
* d/patches: drop patches applied upstream
* d/salsa-ci.yml: enable build_twice job
Regards,
--
Christian Göttsche
able; urgency=medium
.
* New upstream version 2.13
.
* d/control: bump to std version 4.7.0 (no further changes)
* d/tests/control: drop default dependency
* d/patches: rebase
* d/copyright: bump years
* d/salsa-ci.yml: enable build_twice job
Regards,
--
Christian Göttsche
kB instead of KB in --si mode
- Fix supported range of uid/gid numbers
* d/copyright: bump years
Regards,
--
Christian Göttsche
Please take a look at the proposal over at
https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/11
d/control: bump std-version to 4.7.0 (no further changes)
* d/copyright: bump year
* d/patches: close verbatim environment in tex file (Closes: #1092959)
* d/salsa-ci.yml: enable build-twice job
* d/watch: adjust to GitHub API change
Regards,
--
Christian Göttsche
9)
.
* d/control:
- set myself as Maintainer (Closes: #1089284)
- bump to std version 4.7.0 (no further changes)
- switch from pkg-config to pkgconf
- add Vcs fields
* d/copyright: bump years and use https URL
* d/salsa-ci.yml: add standard salsa-ci configuration
Regards,
--
Christian Göttsche
NETAVARK_DEFAULT_FW=nftables at build
time.
Best regards,
Christian Göttsche
Dec 16, 2024 10:14:21 Matthew Vernon :
> Hi,
>
> On 16/12/2024 01:25, Antonio Russo wrote:
>> On 11/24/24 08:18, Antonio Russo wrote:
>>> Dear Maintainer,
>>>
>>> After upgrading to pcre2 10.44-4, I get errors like this:
>>>
>>> Regex version mismatch, expected: 10.44 2024-06-07 actual: 10.42 2022
(1.19 vs 1.21).
I intend to take ownership on no response around the 29th of December.
Thanks for your past work Eugene.
Best regards,
Christian Göttsche
default does
not change anything but adds a configuration setting
`zend.dlopen_deepbind` to support custom allocators.
Best regards,
Christian Göttsche
[1]: https://github.com/GrapheneOS/hardened_malloc/
[2]: https://github.com/php/php-src/issues/10670
[3]: https://github.com/php/php-src/pull
C0
[...]
```
Many thanks for working on this tool!
Best regards,
Christian Göttsche
[1]: https://salsa.debian.org/systemd-team/systemd-netlogd
-- System Information:
Versions of packages licenserecon depends on:
ii dpkg-dev 1.22.11
ii libc6 2.40-3
ii licensecheck 3.3.
copyright: bump year
* d/patches: ignore failure on nonexistent utmp (Closes: #1085482)
* d/tests: skip tests if utmp file does not exist
Regards,
--
Christian Göttsche
On Sat, 26 Oct 2024 at 17:18, Luca Boccassi wrote:
>
> On Sat, 26 Oct 2024 at 16:14, Christian Göttsche
> wrote:
> >
> > On Fri, 25 Oct 2024 at 18:49, Luca Boccassi wrote:
> > >
> > > On Fri, 25 Oct 2024 at 17:27, Christian Göttsche
> > >
On Fri, 25 Oct 2024 at 18:49, Luca Boccassi wrote:
>
> On Fri, 25 Oct 2024 at 17:27, Christian Göttsche
> wrote:
> >
> > Package: wnpp
> > X-Debbugs-Cc: debian-de...@lists.debian.org,
> > pkg-systemd-maintain...@lists.alioth.debian.org
> > Owner: Chr
Package: wnpp
X-Debbugs-Cc: debian-de...@lists.debian.org,
pkg-systemd-maintain...@lists.alioth.debian.org
Owner: Christian Göttsche
Severity: wishlist
* Package name: systemd-netlogd
Version : 1.4.2
Upstream Contact: Susant Sahani
* URL : https://github.com/systemd
Package: gdu
Version: 5.25.0-1+b3
Severity: wishlist
Dear Maintainer,
please consider packaging version 5.29.0 with one year worth of work,
e.g. a no-delete and a non-unicode mode.
Regards,
Christian Göttsche
x27;t know if
firewalld uses some src:dbus specific internals, so whether such a
change would need some code changes or just a debian/control tweak.
Regards,
Christian Göttsche
in version 3.7 for systems with SELinux
disabled:
https://github.com/SELinuxProject/selinux/commit/f398662ea19d2cf6db6cb791e3b787889e5af883
Thanks,
Christian Göttsche
p.s.:
For the packaging of checkpolicy please cherry-pick
https://github.com/SELinuxProject
Support-CIDR-address-notation-in-nodecon-statement:
Support new CIDR nodecon syntax
Regards,
--
Christian Göttsche
control: reopen -1
> Hmm... there seems to be a build issue on 32bit.
Fixed (together with a reproducibility issue) in the latest mentors upload.
control: tags -1 unreproducible
> Building logrotate twice with pbuilder (part of reproducible builds) e.g.
> 'sudo
> pbuilder build --twice logrotate_-.dsc' results in a
> stray process at the end of the second build that requires manual intervention
> (hitting 'q' key) to exit and complete the
logrotate (3.22.0-1) unstable; urgency=medium
.
* New upstream version 3.22.0
.
* d/tests/control: drop redundant Depends
* d/control: bump to std version 4.7.0 (no further changes)
* d/upstream/signing-key.asc: add key for new release
Regards,
--
Christian Göttsche
for a
salsa merge request.
Regards,
Christian Göttsche
diff --git a/debian/initramfs-tools/lvm2/hooks/lvm2
b/debian/initramfs-tools/lvm2/hooks/lvm2
index b28901a01..46a01b615 100755
--- a/debian/initramfs-tools/lvm2/hooks/lvm2
+++ b/debian/initramfs-tools/lvm2/hooks/lvm2
@@ -16,7 +16,7
Kindly ping.
Anything missing or unclear?
Regards,
Christian Göttsche
Package: selinux-policy-default
Version: 2:2.20240202-1
Tags: patch
The invocation of semodule in the postinst maintanier script might
fail, e.g. due to conflicts with local modifications.
Since by default the CIL log level is error and those error messages
are rather generic the actual cause is m
able; urgency=medium
.
* New upstream version 2.12
.
* d/patches: rebase and drop upstream applied one
* d/copyright: bump years
Regards,
Christian Göttsche
Package: python3-networkx
Version: 2.8.8-1
Dear Maintainer,
during installation of python3-networks two warnings are displayed:
Setting up python3-networkx (2.8.8-1) ...
/usr/lib/python3/dist-packages/networkx/readwrite/tests/test_gml.py:556:
SyntaxWarning: invalid octal escape sequence
ince the last upload:
selint (1.5.0-1) unstable; urgency=medium
.
* New upstream version 1.5.0
.
* d/patches: drop upstream applied patches
* d/copyright: update years
Regards,
Christian Göttsche
logrotate (3.21.0-2) unstable; urgency=medium
.
* d/control: bump to std version 4.6.2 (no further changes)
* d/copyright: bump year
* d/patches: set Forwarded header
* debian: install systemd units via dh_installsystemd (Closes: #1059999)
Regards,
Christian Göttsche
control: tags 1052000 wontfix
For the default interval daily seems to be in my opinion the right choice.
I am not aware of other distributions using different intervals.
Also there might be conflicts with third party configuration snippets
(causing unwanted load, too short retention period).
Users
Source: libunwind
X-Debbugs-Cc: Noah Meyerhans
Severity: important
Affects: src:dovecot
Dear Maintainer,
please consider packaging the newest upstream version 1.7.2 (released in July).
Due to the outdated version currently in sid dovecot FTBFS on arm64.
With the recent addition of the default ha
Package: glibc
Version: 2.37-12
In the light of the recent privilege escalation vulnerability I'd like
to suggest disabling the support for tunables in secure mode (most
notably for setuid-binaries).
This would mitigate future regressions in the handling of the
environment variable and possible vu
Upstream contains already a fix:
https://invent.kde.org/plasma/drkonqi/-/commit/d8d580f08925dfb6d924868ec7be436a12289ec0
("Fix malloc-delete mismatch")
Package: drkonqi
Version: 5.27.8-1
Severity: important
Tags: patch
Currently drkonqi crashes while running with hardened_malloc[1], due
to a deallocation size mismatch.
The memory returned by sd_journal_get_cursor(3) is free'd via
std::default_delete::operator() instead of free(3).
Please conside
Package: drkonqi
Version: 5.27.8-1
Severity: important
If for any reason drkonqi-coredump-processor crashes itself, those
crashes should not be processed.
Otherwise an endless cycle of drkonqi-coredump-processor@id.service
instances are spawned.
Package: drkonqi
Version: 5.27.8-1
Severity: normal
drkonqi-coredump-processor crashes if too few command line arguments are given:
#0 std::__atomic_base::load (__m=std::memory_order_relaxed,
this=0x0) at /usr/include/c++/13/bits/atomic_base.h:503
#1 QAtomicOps::loadRelaxed (_q_value=...) at
/
pplied ones
Regards,
--
Christian Göttsche
Control: tags -1 -moreinfo
On Sat, 19 Aug 2023 at 18:51, Jeroen Ploemen wrote:
>
> one minor issue:
> * copyright: years outdated for upstream only
>
>
> Please remove the moreinfo tag (and CC me directly) once you have an
> updated package ready.
Done.
Also added a patch regarding a Lintian iss
able; urgency=medium
.
* New upstream version 2.11
* d/patches: rebase
Regards,
--
Christian Göttsche
on dh_clean (Closes: #1046465, 1049654)
Regards,
--
Christian Göttsche
2.dsc
Changes since the last upload:
logrotate (3.18.0-2+deb11u2) bullseye; urgency=medium
.
* d/patches: cherry-pick usptream fix:
- writeState: do nothing if state file is /dev/null (Closes: #1039868)
Permitted via #1039994.
Regards,
--
Christian Göttsche
Package: src:linux
Version: 6.4.4-1
Severity: serious
Dear Maintainer,
Kernel 6.4.4 is affected by a regression causing one core be report
high IO wait utilization.
See https://lore.kernel.org/lkml/12251678.o9o76zd...@natalenko.name/
On Mon, 26 Jun 2023 at 08:00, Trent W. Buck wrote:
>
> FYI, attached are my monit systemd units.
> They are definitely "too hardened" for some users.
> You can PROBABLY just take everything before the hardening part, and use that
> as-is.
>
> In particular, I deliberately prevent monit running as
The included python script generate.py calls nm(1) from binutils.
Maybe the file-split into binary packages could be changed, since I am
mainly interested in sepolgen-ifgen and sepolgen-ifgen-attr-helper,
which have no dependency on binutils.
control: severity -1 serious
control: affects -1 src:libsepol
The duplicate declaration of the filecontext
/var/log/rspamd(/.*)?
became a hard error with libsepol 3.5 and thus is preventing libsepol
from migrating to testing.
Please apply patch 0001-d-patches-drop-addition-of-existent-file-
On Mon, 10 Jul 2023 at 12:14, Laurent Bigonville wrote:
>
> I'm wondering if that couldn't be done directly by the systemd package
> instead of the libselinux1, that might avoid us the need to introduce a
> new libselinux-common package or headache in the (unlikely?) case there
> a soname change t
riteState: do nothing if state file is /dev/null (Closes: #1039868)
+
+ -- Christian Göttsche Fri, 30 Jun 2023
19:45:16 +0200
+
logrotate (3.18.0-2+deb11u1) stable; urgency=medium
* d/patches: cherry-pick upstream fixes:
diff -Nru
logrotate-3.18.0/debian/patches/applied-upstream/writeState-d
he explain script needs to be updated to work with the recent
set -e addition:
-disabled=$(echo $line | grep 'disabled')
+disabled=$(echo $line | grep -wE 'disabled\s*$') || true
Best regards,
Christian Göttsche
Re-checked on a new installed bookworm system:
type=PROCTITLE msg=audit(01/04/23 19:09:55.035:61) :
proctitle=restorecon -vv -R -F -n -T 0 /
type=PATH msg=audit(01/04/23 19:09:55.035:61) : item=0
name=/proc/sys/vm/overcommit_memory inode=14256 dev=00:14
mode=file,644 ouid=root ogid=root rdev=00:0
tsuite and is used in the upstream CI
of the Reference Policy[1].
Thus chances for regressions are minimal and the cherry-picked commits
should be suitable for bookworm.
[1]:
https://github.com/SELinuxProject/refpolicy/blob/8e8f5e3ca3e5900cad126cb8b4fadaa8adb8caac/.github/workflows/tests.yml#L56
Rega
On Mon, 27 Feb 2023 at 13:06, Eneko Lacunza wrote:
>
> Hi,
>
> We have a VM with this issue happening right now.
>
> ii rsyslog8.2102.0-2+deb11u1 amd64reliable system and
> kernel logging daemon
>From the rsyslog version I assume you are using logrotate version
3.18.0-2+deb11u1.
Package: breeze
Version: 4:5.27.2-1
The package breeze recommends the package kde-style-qtcurve, which got
removed in 2015[1].
[1]: https://tracker.debian.org/pkg/kde-style-qtcurve
Source: accountsservice
Version: 22.08.8-6
Tags: security,patch
Dear Maintaner,
please enable full hardening flags for accounts-daemon; in particular
currently the link feature BINDNOW[1] is missing.
As accounts-daemon is a long running daemon any potential startup
costs are negligible.
[1]:
h
able; urgency=medium
.
[ Alexandre Detiste ]
* register volative files with dh-cruft
* remove obsolete dependency on lsb-base
.
[ Christian Göttsche ]
* d/control:
- sort build depends
- minimize nocheck build depends
- bump to std version 4.6.2 (no further changes)
* d/co
Source: xorg-server
Version: 2:21.1.7-1
Tags: security,patch
Dear Maintaner,
please enable full hardening flags for Xorg; in particular currently
the link feature BINDNOW[1] is missing.
As Xorg is a long running daemon any potential startup costs are negligible.
[1]:
https://wiki.debian.org/Ha
Package: console-setup
Version: 1.217
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Tags: patch
When copying files into the temporary working directory do not copy
the security context but use the default one for the target path.
Otherwise, e.g. when using SELinux, the context migh
* d/libutempter0.lintian-overrides: update format
* d/copyright: correct license of utempter.3 and update years
* d/patches: cherry-pick commit logging PPID on error
* d/upstream: add minimal metadata
Regards,
Christian Göttsche
Source: gdb
Version: 13.1-1
Severity: serious
Justification: violates Debian Policy 12.7.
The binary packages, e.g. gdb[1], do not contain a changelog file,
required by the Debian Policy 12.7.[2].
[1]: https://packages.debian.org/sid/amd64/gdb/filelist
[2]:
https://www.debian.org/doc/debian-pol
Package: tzdata
Version: 2022g-6
Tags: patch
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Dear Maintainer,
with version 2022g-6 the postinst script creates /etc/timezone if not existent.
Please ensure the file, especially if created, has the default SELinux
context, e.g. via:
d
On Thu, 9 Feb 2023 at 15:51, Santiago Ruano Rincón
wrote:
>
> Have you been able to test how it builds on GNU/Hurd, and confirm it
> fixes the FTBFS?
I have not tested the fixes directly on GNU/Hurd.
But the main difference for the build is the absence of
, and I tested building with HAVE_LINUX_M
on GNU/Hurd
Regards,
--
Christian Göttsche
ince the last upload:
selint (1.4.0-2) unstable; urgency=medium
.
* d/patches: add: skip valgrind tests if valgrind is not available
Regards,
--
Christian Göttsche
: Validate the policy at build time
Best regards,
Christian Göttsche
From 5d21e5f3f27dcd06fcf85f0148324c300efb9046 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?=
Date: Tue, 7 Feb 2023 15:35:59 +0100
Subject: [PATCH 1/4] d/patches: drop addition of existent file context
td version 4.6.2 (no further changes)
* d/copyright: convert to machine-readable format
Regards,
--
Christian Göttsche
ream
* d/{control, rules}: skip valgrind on problematic architectures
(Closes: #1030222)
* d/clean: also clean generated parser header
Regards,
--
Christian Göttsche
> Would it be possible to check and restrict valgrind dependency only on the
> above architectures?
I am probably going to drop the dependency on valgrind completely, as
the testsuite with valgrind also fails on mipsel (maybe some DWARF
incompatibility?).
Valgrind is used in the upstream CI, and
ince the last upload:
selint (1.3.0-2) unstable; urgency=medium
.
* debian: run functional tests
* debian: skip building tests with nocheck
* d/tests/refpolicy-test: support zstd compressed source
* d/clean: delete generated testsuite artifacts to build twice
Regards,
--
Christian Göttsche
control: tags -1 patch
Patches attached.
Included a bunch of modernizations; the ones critical for the
autopkgtest are 0013-Fix-brctl-patch-to-pass-neverallow-check.patch
and 0014-Add-autopkgtest-Closes-1012841.patch.
From 909f9bb0da70dcb219d42c126e426554342d87f1 Mon Sep 17 00:00:00 2001
From: =?
Package: ncdu
Version: 1.17-0.1
Dear Maintainer,
please consider packaging the newest (C written) release 1.18.
Regards,
Christian Göttsche
Package: libselinux1
Version: 3.1-3
Severity: important
Tags: security
Libselinux by default, since Debian does not specify DISABLE_SETRANS
at compile time, tries to translate security contexts within non-raw
interfaces, e.g. getfilecon(3). The purpose is to translate MCS/MLS
labels into human re
control: user selinux-de...@lists.alioth.debian.org
control: usertag -1 selinux
Hi,
an improved patch, which also reorders pam_motd, can be found at
https://salsa.debian.org/ssh-team/openssh/-/merge_requests/20.
On Tue, 27 Dec 2022 at 23:11, Simon Ruderich wrote:
>
> On Tue, Dec 27, 2022 at 05:48:20PM +0100, Christian Göttsche wrote:
> > Please recognize -D_FORTIFY_SOURCE=3 as fortification enabled.
>
> Hi,
>
> should be implemented with [1]. Please test.
Works fine.
Thanks!
Package: blhc
Version: 0.13-3
A new fortification level of 3 has been added in glibc 2.35[1] and is
supported in GCC 12 (via __builtin_dynamic_object_size)[2].
Please recognize -D_FORTIFY_SOURCE=3 as fortification enabled.
[1]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.ht
Patch available at
https://salsa.debian.org/rust-team/debcargo-conf/-/merge_requests/406
Source: xwayland
Version: 2:22.1.6-1
Tags: security,patch
Dear Maintaner,
please enable full hardening flags for Xwayland; in particular
currently the link feature BINDNOW[1] is missing.
As Xwayland is a long running daemon any potential startup costs are negligible.
[1]:
https://wiki.debian.o
logrotate (3.21.0-1) unstable; urgency=medium
.
* New upstream version 3.21.0 (Closes: #1015964)
.
[ Marc Deslauriers ]
* d/rules: fix sed syntax to not end up with a backup file (Closes: #1011771)
.
[ Christian Göttsche ]
* d/watch: rework after GitHub API change
* d/s/lintian-over
1 - 100 of 420 matches
Mail list logo
