Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #954716,
regarding buster-pu: package suricata/1:4.1.2-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954716
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Dear release team,
I would like to propose an update for the version of suricata in buster
(4.1.2-2). It addresses a problem with dropping privileges when started
wn a particular runmode, which would otherwise fail in this version.
Upstream has merged this patch already [1] and it has been included in
the current version in unstable (5.0.2) [2] which the original patch author
backported to 4.1.2 to allow fixing it in buster as well.
The correponding bug in Debian is #951181 [3] -- it has the required
severity of important and describes the issue in more detail.
I have also attached a debdiff of the proposed changes to the source
package. It buildis fine in a buster chroot and all autopkgtests succeed
with no issues in a buster LXC container.
Please let me know what the next steps would be. Thanks!
Best regards
Sascha Steinbiss
[1]
https://github.com/OISF/suricata/commit/1262ecbde0c2130f3fd4ca336cd2646828de9391
[2] https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951181
diff -Nru suricata-4.1.2/debian/changelog suricata-4.1.2/debian/changelog
--- suricata-4.1.2/debian/changelog 2019-01-09 12:53:47.000000000 +0100
+++ suricata-4.1.2/debian/changelog 2020-03-22 12:07:13.000000000 +0100
@@ -1,3 +1,10 @@
+suricata (1:4.1.2-2+deb10u1) buster; urgency=medium
+
+ * Include patch for issue fixed upstream, see bug report below.
+ Closes: #951181
+
+ -- Sascha Steinbiss <[email protected]> Sun, 22 Mar 2020 12:07:13 +0100
+
suricata (1:4.1.2-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru
suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
---
suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
1970-01-01 01:00:00.000000000 +0100
+++
suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
2020-03-22 12:06:40.000000000 +0100
@@ -0,0 +1,37 @@
+From: Timo Sigurdsson <[email protected]>
+Date: Tue, 11 Feb 2020 23:29:06 +0100
+Subject: [PATCH] init: Fix dropping privileges in nflog runmode
+
+Using the run-as configuration option with the nflog capture method
+results in the following error during the startup of suricata:
+[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed
+
+This is because SCDropMainThreadCaps does not have any capabilities
+defined for the nflog runmode (unlike other runmodes). Therefore, apply
+the same capabilities to the nflog runmode that are already defined for
+the nfqueue runmode. This has been confirmed to allow suricata start
+and drop its privileges in the nflog runmode.
+
+Fixes redmine issue #3265.
+
+Backport of commit 1262ecb upstream to suricata 4.1.2 (Debian Buster).
+
+Signed-off-by: Timo Sigurdsson <[email protected]>
+---
+ src/util-privs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/util-privs.c
++++ b/src/util-privs.c
+@@ -75,9 +75,10 @@
+ CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
+ -1);
+ break;
++ case RUNMODE_NFLOG:
+ case RUNMODE_NFQ:
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+- CAP_NET_ADMIN, /* needed for nfqueue inline mode
*/
++ CAP_NET_ADMIN, /* needed for nflog and nfqueue
inline mode */
+ CAP_SYS_NICE,
+ -1);
+ break;
diff -Nru suricata-4.1.2/debian/patches/series
suricata-4.1.2/debian/patches/series
--- suricata-4.1.2/debian/patches/series 2019-01-09 12:19:12.000000000
+0100
+++ suricata-4.1.2/debian/patches/series 2020-03-22 12:06:05.000000000
+0100
@@ -4,3 +4,4 @@
no-use-gnu.patch
suricata-common-last.patch
fix-repeated-builds.patch
+backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.5
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
