Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I would like to propose an update for the version of suricata in buster (4.1.2-2). It addresses a problem with dropping privileges when started wn a particular runmode, which would otherwise fail in this version. Upstream has merged this patch already [1] and it has been included in the current version in unstable (5.0.2) [2] which the original patch author backported to 4.1.2 to allow fixing it in buster as well. The correponding bug in Debian is #951181 [3] -- it has the required severity of important and describes the issue in more detail. I have also attached a debdiff of the proposed changes to the source package. It buildis fine in a buster chroot and all autopkgtests succeed with no issues in a buster LXC container. Please let me know what the next steps would be. Thanks! Best regards Sascha Steinbiss [1] https://github.com/OISF/suricata/commit/1262ecbde0c2130f3fd4ca336cd2646828de9391 [2] https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/ [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951181
diff -Nru suricata-4.1.2/debian/changelog suricata-4.1.2/debian/changelog --- suricata-4.1.2/debian/changelog 2019-01-09 12:53:47.000000000 +0100 +++ suricata-4.1.2/debian/changelog 2020-03-22 12:07:13.000000000 +0100 @@ -1,3 +1,10 @@ +suricata (1:4.1.2-2+deb10u1) buster; urgency=medium + + * Include patch for issue fixed upstream, see bug report below. + Closes: #951181 + + -- Sascha Steinbiss <sa...@debian.org> Sun, 22 Mar 2020 12:07:13 +0100 + suricata (1:4.1.2-2) unstable; urgency=medium * Upload to unstable. diff -Nru suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch --- suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch 1970-01-01 01:00:00.000000000 +0100 +++ suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch 2020-03-22 12:06:40.000000000 +0100 @@ -0,0 +1,37 @@ +From: Timo Sigurdsson <public_tim...@silentcreek.de> +Date: Tue, 11 Feb 2020 23:29:06 +0100 +Subject: [PATCH] init: Fix dropping privileges in nflog runmode + +Using the run-as configuration option with the nflog capture method +results in the following error during the startup of suricata: +[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed + +This is because SCDropMainThreadCaps does not have any capabilities +defined for the nflog runmode (unlike other runmodes). Therefore, apply +the same capabilities to the nflog runmode that are already defined for +the nfqueue runmode. This has been confirmed to allow suricata start +and drop its privileges in the nflog runmode. + +Fixes redmine issue #3265. + +Backport of commit 1262ecb upstream to suricata 4.1.2 (Debian Buster). + +Signed-off-by: Timo Sigurdsson <public_tim...@silentcreek.de> +--- + src/util-privs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/util-privs.c ++++ b/src/util-privs.c +@@ -75,9 +75,10 @@ + CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE, + -1); + break; ++ case RUNMODE_NFLOG: + case RUNMODE_NFQ: + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, +- CAP_NET_ADMIN, /* needed for nfqueue inline mode */ ++ CAP_NET_ADMIN, /* needed for nflog and nfqueue inline mode */ + CAP_SYS_NICE, + -1); + break; diff -Nru suricata-4.1.2/debian/patches/series suricata-4.1.2/debian/patches/series --- suricata-4.1.2/debian/patches/series 2019-01-09 12:19:12.000000000 +0100 +++ suricata-4.1.2/debian/patches/series 2020-03-22 12:06:05.000000000 +0100 @@ -4,3 +4,4 @@ no-use-gnu.patch suricata-common-last.patch fix-repeated-builds.patch +backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch