Bug#954716: buster-pu: package suricata/1:4.1.2-2
Control: tags -1 -moreinfo +confirmed On Mon, 2020-04-13 at 14:24 +0200, Sascha Steinbiss wrote: > fixed 951181 1:5.0.2-1 > thanks > > Hi Adam, > > > > When you talk about bug metadata, are you just referring to a > > > missing > > > 'fixed' tag for #951181 along the lines of: > > > > > >fixed 951181 1:5.0.2-1 > > > > > > If so, I would be happy to provide that. > > > > Yes, exactly that. Sorry if it seems insignificant, but it provides > > a > > much clearer view of what the state is across the suites. > > Sure, no problem. Done! Thanks. Please go ahead. Regards, Adam
Bug#954716: buster-pu: package suricata/1:4.1.2-2
fixed 951181 1:5.0.2-1 thanks Hi Adam, >> When you talk about bug metadata, are you just referring to a missing >> 'fixed' tag for #951181 along the lines of: >> >>fixed 951181 1:5.0.2-1 >> >> If so, I would be happy to provide that. > > Yes, exactly that. Sorry if it seems insignificant, but it provides a > much clearer view of what the state is across the suites. Sure, no problem. Done! Best regards Sascha
Bug#954716: buster-pu: package suricata/1:4.1.2-2
On Mon, 2020-04-13 at 12:59 +0200, Sascha Steinbiss wrote: > I see. From my point of view it was clearly stated that the patch > author > (Timo Sigurdsson) had his fix accepted by upstream in version 5.0.2 > (according to the changelog linked here [1]) which is currently in > unstable [2]. > > When you talk about bug metadata, are you just referring to a missing > 'fixed' tag for #951181 along the lines of: > >fixed 951181 1:5.0.2-1 > > If so, I would be happy to provide that. Yes, exactly that. Sorry if it seems insignificant, but it provides a much clearer view of what the state is across the suites. Regards, Adam
Bug#954716: buster-pu: package suricata/1:4.1.2-2
Hi Adam, thanks for taking a look at my proposed update. [...] >> Upstream has merged this patch already [1] and it has been included >> in the current version in unstable (5.0.2) [2] which the original >> patch author backported to 4.1.2 to allow fixing it in buster as >> well. >> >> The correponding bug in Debian is #951181 [3] -- it has the required >> severity of important and describes the issue in more detail. > > The metadata for that bug suggests that it still affects unstable, > which is contrary to your earlier comment above. Please could you > confirm the status of the issue in unstable, and add relevant fixed > versions to the bug if appropriate. I see. From my point of view it was clearly stated that the patch author (Timo Sigurdsson) had his fix accepted by upstream in version 5.0.2 (according to the changelog linked here [1]) which is currently in unstable [2]. When you talk about bug metadata, are you just referring to a missing 'fixed' tag for #951181 along the lines of: fixed 951181 1:5.0.2-1 If so, I would be happy to provide that. Thanks again and best regards Sascha [1] https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/ [2] https://packages.debian.org/source/unstable/suricata signature.asc Description: OpenPGP digital signature
Bug#954716: buster-pu: package suricata/1:4.1.2-2
Control: tags -1 + moreinfo On Sun, 2020-03-22 at 15:46 +0100, Sascha Steinbiss wrote: > I would like to propose an update for the version of suricata in > buster (4.1.2-2). It addresses a problem with dropping privileges > when started wn a particular runmode, which would otherwise fail in > this version. > Upstream has merged this patch already [1] and it has been included > in the current version in unstable (5.0.2) [2] which the original > patch author backported to 4.1.2 to allow fixing it in buster as > well. > > The correponding bug in Debian is #951181 [3] -- it has the required > severity of important and describes the issue in more detail. The metadata for that bug suggests that it still affects unstable, which is contrary to your earlier comment above. Please could you confirm the status of the issue in unstable, and add relevant fixed versions to the bug if appropriate. Regards, Adam
Bug#954716: buster-pu: package suricata/1:4.1.2-2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear release team, I would like to propose an update for the version of suricata in buster (4.1.2-2). It addresses a problem with dropping privileges when started wn a particular runmode, which would otherwise fail in this version. Upstream has merged this patch already [1] and it has been included in the current version in unstable (5.0.2) [2] which the original patch author backported to 4.1.2 to allow fixing it in buster as well. The correponding bug in Debian is #951181 [3] -- it has the required severity of important and describes the issue in more detail. I have also attached a debdiff of the proposed changes to the source package. It buildis fine in a buster chroot and all autopkgtests succeed with no issues in a buster LXC container. Please let me know what the next steps would be. Thanks! Best regards Sascha Steinbiss [1] https://github.com/OISF/suricata/commit/1262ecbde0c2130f3fd4ca336cd2646828de9391 [2] https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/ [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951181 diff -Nru suricata-4.1.2/debian/changelog suricata-4.1.2/debian/changelog --- suricata-4.1.2/debian/changelog 2019-01-09 12:53:47.0 +0100 +++ suricata-4.1.2/debian/changelog 2020-03-22 12:07:13.0 +0100 @@ -1,3 +1,10 @@ +suricata (1:4.1.2-2+deb10u1) buster; urgency=medium + + * Include patch for issue fixed upstream, see bug report below. +Closes: #951181 + + -- Sascha Steinbiss Sun, 22 Mar 2020 12:07:13 +0100 + suricata (1:4.1.2-2) unstable; urgency=medium * Upload to unstable. diff -Nru suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch --- suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch 1970-01-01 01:00:00.0 +0100 +++ suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch 2020-03-22 12:06:40.0 +0100 @@ -0,0 +1,37 @@ +From: Timo Sigurdsson +Date: Tue, 11 Feb 2020 23:29:06 +0100 +Subject: [PATCH] init: Fix dropping privileges in nflog runmode + +Using the run-as configuration option with the nflog capture method +results in the following error during the startup of suricata: +[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed + +This is because SCDropMainThreadCaps does not have any capabilities +defined for the nflog runmode (unlike other runmodes). Therefore, apply +the same capabilities to the nflog runmode that are already defined for +the nfqueue runmode. This has been confirmed to allow suricata start +and drop its privileges in the nflog runmode. + +Fixes redmine issue #3265. + +Backport of commit 1262ecb upstream to suricata 4.1.2 (Debian Buster). + +Signed-off-by: Timo Sigurdsson +--- + src/util-privs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/util-privs.c b/src/util-privs.c +@@ -75,9 +75,10 @@ + CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE, + -1); + break; ++case RUNMODE_NFLOG: + case RUNMODE_NFQ: + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, +-CAP_NET_ADMIN, /* needed for nfqueue inline mode */ ++CAP_NET_ADMIN, /* needed for nflog and nfqueue inline mode */ + CAP_SYS_NICE, + -1); + break; diff -Nru suricata-4.1.2/debian/patches/series suricata-4.1.2/debian/patches/series --- suricata-4.1.2/debian/patches/series2019-01-09 12:19:12.0 +0100 +++ suricata-4.1.2/debian/patches/series2020-03-22 12:06:05.0 +0100 @@ -4,3 +4,4 @@ no-use-gnu.patch suricata-common-last.patch fix-repeated-builds.patch +backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch