Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock groonga package: * It fixes #928304. The bug is reported against 6.1.5-1 on stretch, but it need to be fixed on testing and unstable package too. so I've prepared the update. Note that it is already packages on testing (9.0.0-1) and unstable (9.0.1-1). 9.0.1-1 contains unrelated changes to #928304, so based on freeze policy, it seems that update package (9.0.0-1+deb10u1) should be uploaded to testing-proposed-updates explicitly. Here is the debdiff: debdiff groonga_9.0.0-1.dsc groonga_9.0.0-1+deb10u1.dsc diff -Nru groonga-9.0.0/debian/changelog groonga-9.0.0/debian/changelog --- groonga-9.0.0/debian/changelog 2019-02-09 22:13:00.000000000 +0900 +++ groonga-9.0.0/debian/changelog 2019-05-09 22:44:57.000000000 +0900 @@ -1,3 +1,13 @@ +groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium + + * debian/groonga-httpd.logrotate + debian/groonga-server-gqtp.logrotate + - Mitigate privilege escalation by changing the owner and group of logs + with "su" option. Reported by Wolfgang Hotwagner. + (Closes: #928304) (CVE-2019-11675) + + -- Kentaro Hayashi <haya...@clear-code.com> Thu, 09 May 2019 22:44:57 +0900 + groonga (9.0.0-1) unstable; urgency=medium * New upstream version 9.0.0 diff -Nru groonga-9.0.0/debian/groonga-httpd.logrotate groonga-9.0.0/debian/groonga-httpd.logrotate --- groonga-9.0.0/debian/groonga-httpd.logrotate 2019-02-09 22:12:32.000000000 +0900 +++ groonga-9.0.0/debian/groonga-httpd.logrotate 2019-05-09 22:43:28.000000000 +0900 @@ -1,11 +1,11 @@ /var/log/groonga/httpd/*.log { + su groonga groonga daily missingok rotate 30 compress delaycompress notifempty - create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd diff -Nru groonga-9.0.0/debian/groonga-server-gqtp.logrotate groonga-9.0.0/debian/groonga-server-gqtp.logrotate --- groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-02-09 22:12:32.000000000 +0900 +++ groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-05-09 22:43:28.000000000 +0900 @@ -1,11 +1,11 @@ /var/log/groonga/*-gqtp.log { + su groonga groonga daily missingok rotate 30 compress delaycompress notifempty - create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-server-gqtp
diff -Nru groonga-9.0.0/debian/changelog groonga-9.0.0/debian/changelog --- groonga-9.0.0/debian/changelog 2019-02-09 22:13:00.000000000 +0900 +++ groonga-9.0.0/debian/changelog 2019-05-09 22:44:57.000000000 +0900 @@ -1,3 +1,13 @@ +groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium + + * debian/groonga-httpd.logrotate + debian/groonga-server-gqtp.logrotate + - Mitigate privilege escalation by changing the owner and group of logs + with "su" option. Reported by Wolfgang Hotwagner. + (Closes: #928304) (CVE-2019-11675) + + -- Kentaro Hayashi <haya...@clear-code.com> Thu, 09 May 2019 22:44:57 +0900 + groonga (9.0.0-1) unstable; urgency=medium * New upstream version 9.0.0 diff -Nru groonga-9.0.0/debian/groonga-httpd.logrotate groonga-9.0.0/debian/groonga-httpd.logrotate --- groonga-9.0.0/debian/groonga-httpd.logrotate 2019-02-09 22:12:32.000000000 +0900 +++ groonga-9.0.0/debian/groonga-httpd.logrotate 2019-05-09 22:43:28.000000000 +0900 @@ -1,11 +1,11 @@ /var/log/groonga/httpd/*.log { + su groonga groonga daily missingok rotate 30 compress delaycompress notifempty - create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd diff -Nru groonga-9.0.0/debian/groonga-server-gqtp.logrotate groonga-9.0.0/debian/groonga-server-gqtp.logrotate --- groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-02-09 22:12:32.000000000 +0900 +++ groonga-9.0.0/debian/groonga-server-gqtp.logrotate 2019-05-09 22:43:28.000000000 +0900 @@ -1,11 +1,11 @@ /var/log/groonga/*-gqtp.log { + su groonga groonga daily missingok rotate 30 compress delaycompress notifempty - create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-server-gqtp