Your message dated Sat, 25 Mar 2023 19:34:47 +0000 with message-id <e1pg9f5-009afk...@respighi.debian.org> and subject line unblock amanda has caused the Debian Bug report #1033292, regarding unblock: amanda/1:3.5.1-11 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033292 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt, calha...@debian.org, ns-l...@dsi.ist.utl.pt Control: affects -1 + src:amanda Please unblock package amanda [ Reason ] The previous version on the fix for CVE-CVE-2022-37705 introduced a regression that is fixed by this version. [ Impact ] Breaks the use of tar, for backups in some setups, on the affected clients, i.e., the use of package amanda-client. The server can not backup itself, but can backups clients with good amanda client software, [ Tests ] I manually tested the affected version and the fixed version, using a VM running testing (bookworm) with a amanda compiled for sid. The test is to do backup of the server. The detail that breaks or not is two options in a dumptype that specifies what program to use for backup. When using traditional and old interface for gnutar it breaks. When using the new interface it is not affected. I do not have experience in C language to do a proper review of the patch that is very simple, but broken in 3.5.1-10. [ Risks ] The fix in 3.5.1-10 for the three CVEs are a low risks ones because user backup is a restricted user. Only people with previliges already can login as user backup and try to run the setgid binaries. For the people affected by regression 3.5.1-10 can workaround using an older version on the affected clients. This bugs does not affect other packages as amanda-client is a leaf package. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] for name in amanda-client amanda-common amanda-server ; do debdiff "/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb" "/root/${name}_3.5.1-11_amd64.deb" ; done File lists identical (after any substitutions) Control files: lines which differ (wdiff format) ------------------------------------------------ Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} libxml-simple-perl, perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0) Version: [-1:3.5.1-10-] {+1:3.5.1-11+} File lists identical (after any substitutions) Control files: lines which differ (wdiff format) ------------------------------------------------ Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} Version: [-1:3.5.1-10-] {+1:3.5.1-11+} File lists identical (after any substitutions) Control files: lines which differ (wdiff format) ------------------------------------------------ Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | mailx, libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), libglib2.0-0 (>= 2.31.8) Installed-Size: [-1076-] {+1077+} Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st, gnuplot Version: [-1:3.5.1-10-] {+1:3.5.1-11+} unblock amanda/1:3.5.1-11
--- End Message ---
--- Begin Message ---Unblocked.
--- End Message ---
