Hi,
I maintain Groonga package as a DM, so I want to fix #928304.
But I've never uploaded package to stable before, so I need help
to do it in a good manner.
I've attached debdiff against current version.
Is it ok to upload stretch-security?
diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog 2017-01-23 19:14:09.000000000 +0900
+++ groonga-6.1.5/debian/changelog 2019-05-07 22:33:11.000000000 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-2) stretch-security; urgency=medium
+
+ * debian/groonga-httpd.logrotate
+ debian/groonga-server-gqtp.logrotate
+ - Mitigate privilege escalation by changing the owner and group of logs
+ with "su" option. Reported by Wolfgang Hotwagner.
+ (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi <haya...@clear-code.com> Tue, 07 May 2019 22:33:11 +0900
+
groonga (6.1.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate 2016-12-10 15:18:50.000000000 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate 2019-05-07 22:33:11.000000000 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/httpd/*.log {
+ su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
- create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate 2016-12-10 15:18:50.000000000 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate 2019-05-07 22:33:11.000000000 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/*-gqtp.log {
+ su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
- create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-server-gqtp
