Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, we would like to fix the following two problems in stable: 1 ) The bacula packages are vulnerable to a security problem similar to CVE 2017-14610 (PID files not owned by root). On the downside this change disables a bacula feature that permits automatic tracebacks on a crash. I've mailed the security team about this, they recommended a stable update. 2) Bug #880529: When updating from jessie to stretch, the package "bacula-director-common" will be removed, but the postrm will stay around. Upon purging this package, postrm unconditionally removes the main bacula configuration file /etc/bacula/bacula-dir.conf, leaving bacula unusable. We fix this by introducing a transitional package that can then be safely removed. Regards, Carsten -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
diff -Nru bacula-7.4.4+dfsg/debian/bacula-director.init bacula-7.4.4+dfsg/debian/bacula-director.init --- bacula-7.4.4+dfsg/debian/bacula-director.init 2017-02-26 13:39:25.000000000 +0100 +++ bacula-7.4.4+dfsg/debian/bacula-director.init 2017-11-15 22:55:15.000000000 +0100 @@ -67,7 +67,7 @@ { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff -Nru bacula-7.4.4+dfsg/debian/bacula-fd.init bacula-7.4.4+dfsg/debian/bacula-fd.init --- bacula-7.4.4+dfsg/debian/bacula-fd.init 2017-02-26 13:39:25.000000000 +0100 +++ bacula-7.4.4+dfsg/debian/bacula-fd.init 2017-11-15 22:55:15.000000000 +0100 @@ -54,7 +54,7 @@ { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff -Nru bacula-7.4.4+dfsg/debian/bacula-sd.init bacula-7.4.4+dfsg/debian/bacula-sd.init --- bacula-7.4.4+dfsg/debian/bacula-sd.init 2017-02-26 13:39:25.000000000 +0100 +++ bacula-7.4.4+dfsg/debian/bacula-sd.init 2017-11-15 22:55:15.000000000 +0100 @@ -53,7 +53,7 @@ { if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff -Nru bacula-7.4.4+dfsg/debian/changelog bacula-7.4.4+dfsg/debian/changelog --- bacula-7.4.4+dfsg/debian/changelog 2017-02-26 13:39:25.000000000 +0100 +++ bacula-7.4.4+dfsg/debian/changelog 2017-11-15 22:55:15.000000000 +0100 @@ -1,3 +1,17 @@ +bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium + + [Sven Hartge] + * Let PID files be owned by root. Mitigates a minor security problem + similar to CVE 2017-14610. Note that this change disables automatic + tracebacks. + + [ Carsten Leonhardt ] + * Added transitional package bacula-director-common, the old leftover + package can't be safely purged otherwise (it deletes + /etc/bacula/bacula-dir.conf in postrm) (Closes: #880529) + + -- Carsten Leonhardt <l...@debian.org> Wed, 15 Nov 2017 22:55:15 +0100 + bacula (7.4.4+dfsg-6) unstable; urgency=medium [Sven Hartge] diff -Nru bacula-7.4.4+dfsg/debian/control bacula-7.4.4+dfsg/debian/control --- bacula-7.4.4+dfsg/debian/control 2017-02-26 13:39:25.000000000 +0100 +++ bacula-7.4.4+dfsg/debian/control 2017-11-15 22:55:15.000000000 +0100 @@ -357,3 +357,13 @@ . This GUI interface has been designed to ease restore operations as much as possible as compared to the basic text console. + +Package: bacula-director-common +Section: oldlibs +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + bacula-common (= ${binary:Version}), + ${misc:Depends} +Description: transitional package + This is a transitional package. It can safely be removed. diff -Nru bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch --- bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch 2017-02-26 13:39:25.000000000 +0100 +++ bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch 2017-11-15 22:55:15.000000000 +0100 @@ -20,13 +20,13 @@ -PIDFile=@piddir@/bacula-dir.@dir_port@.pid -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf +Type=simple -+User=bacula -+Group=bacula ++User=root ++Group=root +Environment="CONFIG=/etc/bacula/bacula-dir.conf" +EnvironmentFile=-/etc/default/bacula-dir -+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG -+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG -+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG ++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG ++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG ++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG ExecReload=/bin/kill -HUP $MAINPID +SuccessExitStatus=15 StandardError=syslog @@ -67,12 +67,12 @@ -ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf -PIDFile=@piddir@/bacula-sd.@sd_port@.pid +Type=simple -+User=bacula -+Group=tape ++User=root ++Group=root +Environment="CONFIG=/etc/bacula/bacula-sd.conf" +EnvironmentFile=-/etc/default/bacula-sd -+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG -+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG ++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG ++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG +ExecReload=/bin/kill -HUP $MAINPID +SuccessExitStatus=15 StandardError=syslog