Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Upstream recently fixed two memory leaks in xymond, xymon's main daemon. Without these fixes leakages of 2 GB memory per day have been observed under production conditions. I've just uploaded xymon/4.3.17-6 to DELAYED/15 (see https://ftp-master.debian.org/deferred.html) with: * two patches cherry picked from upstream to fix memory leaks (https://bugs.debian.org/778343) * one debconf translation update (https://bugs.debian.org/776126) * one so far missing addition to debian/copyright (https://bugs.debian.org/775590) As soon as I've got your approval for the debdiff below, I'll fast-forward the upload to unstable. Full debdiff: diff -Nru xymon-4.3.17/debian/changelog xymon-4.3.17/debian/changelog --- xymon-4.3.17/debian/changelog 2015-01-22 17:37:30.000000000 +0100 +++ xymon-4.3.17/debian/changelog 2015-02-13 21:59:49.000000000 +0100 @@ -1,10 +1,24 @@ +xymon (4.3.17-6) unstable; urgency=medium + + [ Axel Beckert ] + * Add CVE ID to the previous changelog entry. + * Debconf translations, thanks! + + ru by Yuri Kozlov (Closes: #776126) + * Cherry pick two patches from upstream to fix multiple memory leaks. + (Closes: #778343) + + [ Christian Kastner ] + * Document license of sha?.* files in debian/copyright (Closes: #775590) + + -- Axel Beckert <[email protected]> Fri, 13 Feb 2015 21:59:49 +0100 + xymon (4.3.17-5) unstable; urgency=medium [ Christoph Berg ] * Restore the lost ROOTFS variable in xymonclient-linux.sh, and patch xymond/rrd/do_disk.c to ignore duplicate submissions for the / partition. (Closes: #767901) - * Fix buffer overrun in web/acknowledge.c (Closes: #776007) + * Fix buffer overrun in web/acknowledge.c (Closes: #776007, CVE-2015-1430) * Debconf translations, thanks! + pt by Américo Monteiro (Closes: #767840) + fr by Jean-Pierre Giraud (Closes: #770168) diff -Nru xymon-4.3.17/debian/copyright xymon-4.3.17/debian/copyright --- xymon-4.3.17/debian/copyright 2014-10-01 15:41:26.000000000 +0200 +++ xymon-4.3.17/debian/copyright 2015-02-13 15:34:20.000000000 +0100 @@ -121,6 +121,38 @@ copied and put under another distribution licence [including the GNU Public Licence.] +lib/sha1.c: + 100% Public Domain, by Steve Reid <[email protected]>, with small changes + by Thomas Roessler <[email protected]>. + +lib/sha2.* + Copyright (C) 2005, 2007 Olivier Gay <[email protected]> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the project nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + There is a nested c-ares tarball in bbnet/: Copyright 1998, 2000 by the Massachusetts Institute of Technology. Copyright (C) 2004 by Daniel Stenberg et al diff -Nru xymon-4.3.17/debian/patches/fix-xymond-memory-leak xymon-4.3.17/debian/patches/fix-xymond-memory-leak --- xymon-4.3.17/debian/patches/fix-xymond-memory-leak 1970-01-01 01:00:00.000000000 +0100 +++ xymon-4.3.17/debian/patches/fix-xymond-memory-leak 2015-02-13 20:32:46.000000000 +0100 @@ -0,0 +1,19 @@ +Description:Fix memory leak in acknowledge handling. + Cherry-picked from the 4.3.18 upstream release. +Origin: http://sourceforge.net/p/xymon/code/7488/ +Applied-Upstream: http://sourceforge.net/p/xymon/code/7488/ +Reviewed-by: Axel Beckert <[email protected]> + +Index: xymon/xymond/xymond.c +=================================================================== +--- xymon.orig/xymond/xymond.c 2015-02-13 15:38:17.000000000 +0100 ++++ xymon/xymond/xymond.c 2015-02-13 15:40:05.000000000 +0100 +@@ -2365,6 +2365,8 @@ + if (zombie->dismsg) xfree(zombie->dismsg); + if (zombie->ackmsg) xfree(zombie->ackmsg); + if (zombie->grouplist) xfree(zombie->grouplist); ++ if (zombie->lastchange) xfree(zombie->lastchange); ++ if (zombie->testflags) xfree(zombie->testflags); + flush_acklist(zombie, 1); + xfree(zombie); + dbgprintf("<- free_log_t\n"); diff -Nru xymon-4.3.17/debian/patches/series xymon-4.3.17/debian/patches/series --- xymon-4.3.17/debian/patches/series 2015-01-22 16:49:00.000000000 +0100 +++ xymon-4.3.17/debian/patches/series 2015-02-13 20:32:46.000000000 +0100 @@ -25,3 +25,5 @@ apache2.4 disk-no-duplicate-root acknowledge-malloc +fix-xymond-memory-leak +set-initial-size-for-xymondlog-output diff -Nru xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output --- xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output 1970-01-01 01:00:00.000000000 +0100 +++ xymon-4.3.17/debian/patches/set-initial-size-for-xymondlog-output 2015-02-13 20:32:46.000000000 +0100 @@ -0,0 +1,33 @@ +Description: Set an initial size for the xymondlog output + Cherry-picked from the 4.3.18 upstream release. + . + Original commit message: "xymond: Set an initial size for the + xymondlog output, to avoid realloc'ing the buffer too much. Fix a + valgrind complaint. JC Cleaver" + . + Despite the harmless sounding commit message, this seems to fix a + severe memory leak. Without this patch, valgrind reported the loss of + about 12 MB every five minutes on a bigger installation. +Origin: http://sourceforge.net/p/xymon/code/7489/ +Applied-Upstream: http://sourceforge.net/p/xymon/code/7489/ + +Index: xymon/xymond/xymond.c +=================================================================== +--- xymon.orig/xymond/xymond.c 2015-02-13 16:50:42.000000000 +0100 ++++ xymon/xymond/xymond.c 2015-02-13 17:21:42.000000000 +0100 +@@ -3679,12 +3679,13 @@ + } + + xfree(msg->buf); +- logdata = generate_outbuf(NULL, logfields, h, log, acklevel); ++ logdata = newstrbuffer(20480); ++ logdata = generate_outbuf(&logdata, logfields, h, log, acklevel); + addtobuffer(logdata, msg_data(log->message, 0)); + + msg->doingwhat = RESPONDING; + msg->buflen = STRBUFLEN(logdata); +- msg->bufp = grabstrbuffer(logdata); ++ msg->bufp = msg->buf = grabstrbuffer(logdata); + } + + clear_filter(logfilter); diff -Nru xymon-4.3.17/debian/po/ru.po xymon-4.3.17/debian/po/ru.po --- xymon-4.3.17/debian/po/ru.po 2014-10-23 14:57:35.000000000 +0200 +++ xymon-4.3.17/debian/po/ru.po 2015-02-03 12:26:32.000000000 +0100 @@ -1,21 +1,21 @@ # translation of ru.po to Russian # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the PACKAGE package. +# This file is distributed under the same license as the xymon package. # -# Yuri Kozlov <[email protected]>, 2007. +# Yuri Kozlov <[email protected]>, 2007, 2015. msgid "" msgstr "" -"Project-Id-Version: 4.2.0.dfsg-4\n" +"Project-Id-Version: xymon 4.3.17-4\n" "Report-Msgid-Bugs-To: [email protected]\n" "POT-Creation-Date: 2014-10-23 14:57+0200\n" -"PO-Revision-Date: 2012-06-13 13:40+0200\n" -"Last-Translator: Yuri Kozlov <[email protected]>\n" +"PO-Revision-Date: 2015-01-24 09:26+0300\n" +"Last-Translator: Yuri Kozlov <[email protected]>\n" "Language-Team: Russian <[email protected]>\n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"X-Generator: KBabel 1.11.4\n" +"X-Generator: Lokalize 1.5\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" @@ -68,7 +68,7 @@ #. Description #: ../xymon-client.templates:3001 msgid "Automatically migrate old hobbit files to xymon?" -msgstr "" +msgstr "Перейти с файлов hobbit на xymon автоматически?" #. Type: boolean #. Description @@ -80,3 +80,10 @@ "usually a good idea, but might not work so well if your config differs " "substantially from the default." msgstr "" +"Системный рабочий пользователь был переименован с «hobbit» в " +"«xymon», и все настройки, состояние, журнальные каталоги и файлы " +"также были переименованы. Послеустановочные сценарии пакета " +"могут выполнить переход автоматически. Обычно, всё проходит хорошо, " +"но могут возникать ошибки, если ваши настройки сильно отличаются " +"от настроек по умолчанию." + -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'buildd-unstable'), (400, 'stable'), (110, 'experimental'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.18.0-trunk-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
