Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Hi, On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote: > Control: tags -1 -confirmed +moreinfo > > Hi, > > On 2019-11-27 16:07, Guido Günther wrote: > > Hi Adam, > > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On 2019-11-27 13:05, Michal Arbet wrote: > > > > I've added a patch from upstream ( sid already included it in new > > > > version ). > > > > Check current debdiff in attachment. > > > > > > That looks OK, assuming it's been build- and runtime-tested on a > > > buster > > > system. > > > > It would be nice to coordinate such things with the package > > maintainers. I've had question's regarding these patches which weren't > > answered yet: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26 > > Apologies for that, we tend to assume that people making such requests > either work on the package or have had that co-ordination discussion > already. > > In this case I'll put the request on hold until we hear back. Thanks.I intend to look at the particular issue and fold it into the update with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036 which is still pending. -- Guido > > Regards, > > Adam >
Processed: Re: Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Processing control commands: > tags -1 -confirmed +moreinfo Bug #944294 [release.debian.org] buster-pu: package libvirt-daemon/5.0.0-4 Removed tag(s) confirmed. Bug #944294 [release.debian.org] buster-pu: package libvirt-daemon/5.0.0-4 Ignoring request to alter tags of bug #944294 to the same tags previously set -- 944294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944294 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Control: tags -1 -confirmed +moreinfo Hi, On 2019-11-27 16:07, Guido Günther wrote: Hi Adam, On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On 2019-11-27 13:05, Michal Arbet wrote: > I've added a patch from upstream ( sid already included it in new > version ). > Check current debdiff in attachment. That looks OK, assuming it's been build- and runtime-tested on a buster system. It would be nice to coordinate such things with the package maintainers. I've had question's regarding these patches which weren't answered yet: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26 Apologies for that, we tend to assume that people making such requests either work on the package or have had that co-ordination discussion already. In this case I'll put the request on hold until we hear back. Regards, Adam
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Hi Adam, On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2019-11-27 13:05, Michal Arbet wrote: > > I've added a patch from upstream ( sid already included it in new > > version ). > > Check current debdiff in attachment. > > That looks OK, assuming it's been build- and runtime-tested on a buster > system. It would be nice to coordinate such things with the package maintainers. I've had question's regarding these patches which weren't answered yet: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26 Cheers, -- Guido > > Regards, > > Adam
Bug#945592: buster-pu: package openstack-dashboard-apache/3:14.0.2-3
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, Openstack-dashboard-apache package is used to configure apache2 to provide openstack-dashboard (horizon) and also configure openstack-dashboard's webroot. As upstream moved WEBROOT variable from local_settings.py to defaults.py, it has to been overriden in /etc/openstack-dashboard/local_settings.d and openstack-dashboard-apache has to configure this variable and rebuild static files if needed. This is now achieved by openstack-dashboard-apache which is calling trigger of openstack-dashboard when needed. -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/32 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru horizon-14.0.2/debian/changelog horizon-14.0.2/debian/changelog --- horizon-14.0.2/debian/changelog 2019-03-25 21:44:52.0 +0100 +++ horizon-14.0.2/debian/changelog 2019-11-27 15:32:02.0 +0100 @@ -1,3 +1,9 @@ +horizon (3:14.0.2-3+deb10u1) buster; urgency=medium + + * Fix change od WEBROOT in horizon + + -- Michal Arbet Wed, 27 Nov 2019 15:32:02 +0100 + horizon (3:14.0.2-3) unstable; urgency=medium * openstack-dashboard: Add Breaks against obsolete packages from Stretch: diff -Nru horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py --- horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py 1970-01-01 01:00:00.0 +0100 +++ horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py 2019-11-27 15:31:56.0 +0100 @@ -0,0 +1,2 @@ +# To specify path for webroot, set WEBROOT = "/webroot" +WEBROOT = "/" diff -Nru horizon-14.0.2/debian/openstack-dashboard-apache.postinst horizon-14.0.2/debian/openstack-dashboard-apache.postinst --- horizon-14.0.2/debian/openstack-dashboard-apache.postinst 2019-03-25 21:44:52.0 +0100 +++ horizon-14.0.2/debian/openstack-dashboard-apache.postinst 2019-11-27 15:31:56.0 +0100 @@ -2,6 +2,32 @@ set -e +OS_WEBROOT_CONF_PATH="/etc/openstack-dashboard/local_settings.d/_0005_debian_webroot.py" + +# We need to check if WEBROOT config will be changed +# If yes, we need to exec compress,collect_static. +# If no, it isn't needed. + +change_webroot (){ + WEBROOT=$1 + # If WEBROOT config exist, compare it + if [ -e ${OS_WEBROOT_CONF_PATH} ]; then + + CURRENT_WEBROOT=$(cat ${OS_WEBROOT_CONF_PATH} | grep ^WEBROOT | sed -e 's/"*'\''*\ *//g' | awk -F '=' '{print $2}') + + if [ "${CURRENT_WEBROOT}" = "${WEBROOT}" ]; then + echo "===> openstack-dashboard-apache: Webroot already set." + echo "===> openstack-dashboard-apache: Rebuild static not needed." +else + sed -i "s|^[ \t]*WEBROOT[ \t]=.*|WEBROOT = \"${WEBROOT}\"|" ${OS_WEBROOT_CONF_PATH} + echo "===> openstack-dashboard-apache: Setting Horizon's webroot to ${WEBROOT}" + echo "===> openstack-dashboard-apache: Horizon's webroot was changed, rebuild static is needed." + dpkg-trigger --no-await rebuild-static + fi + fi + +} + dpkg-maintscript-helper dir_to_symlink \ /usr/share/openstack-dashboard/static /var/lib/openstack-dashboard/static 2:9.0.0~rc1-2 openstack-dashboard-apache -- "$@" @@ -26,9 +52,11 @@ db_get horizon/activate_vhost if [ "${RET}" = "true" ] && [ -x /etc/init.d/apache2 ] ; then sed -i 's#[ \t]*HORIZON_ACTIVATE_VHOSTS=.*#HORIZON_ACTIVATE_VHOSTS=yes#' /etc/default/openstack-dashboard-apache + # Set webroot to / in openstack-dashboard settings + change_webroot "/" a2dissite 000-default.conf || true a2dissite default-ssl.conf || true - sed -i "s|^[ \t]*WEBROOT[ \t]=.*|WEBROOT = '/'|" /etc/openstack-dashboard/local_settings.py + db_get horizon/use_ssl if [ "${RET}" = "true" ] ; then sed -i 's#[ \t]*HORIZON_USE_SSL=.*#HORIZON_USE_SSL=yes#' /etc/default/openstack-dashboard-apache @@ -52,44 +80,17 @@ else ln -fs /var/lib/openstack-dashboard/static /usr/share/openstack-dashboard/static fi - # Not needed in openstack-dashboard-apache - # This is done in openstack-dashboard - #if [ -f /usr/share/openstack-dashboard/manage.py ]; then - # /usr/share/openstack-dashboard/manage.py collectstatic --clear --noinput -
Processed: Re: Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Processing control commands: > tags -1 + confirmed Bug #944294 [release.debian.org] buster-pu: package libvirt-daemon/5.0.0-4 Added tag(s) confirmed. -- 944294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944294 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Control: tags -1 + confirmed On 2019-11-27 13:05, Michal Arbet wrote: I've added a patch from upstream ( sid already included it in new version ). Check current debdiff in attachment. That looks OK, assuming it's been build- and runtime-tested on a buster system. Regards, Adam
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Hello Adam, I've added a patch from upstream ( sid already included it in new version ). Check current debdiff in attachment. Thanks, Michal Arbet ( kevko ) so 9. 11. 2019 v 15:06 odesílatel Adam D. Barratt napsal: > Control: tags -1 + moreinfo > > On Thu, 2019-11-07 at 12:13 +0100, Michal Arbet wrote: > > I am facing the same issue in debian as it is reported in ubuntu > > launchpad bug > > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1825195 > > > > Could you please release new revision of libvirt to buster ? > > The Stable Release Team approve updates that are then uploaded by > Debian Developers; we don't directly update the packages. > > In this case, I have to admit to being a little confused by the > suggested change. The commit referenced in your patch was fairly > quickly superseded by > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=b12865260a0f24ab86ddaf3547b2f2e2c595d429 > , so that would seem the more sensible place to start with a backport. > > However, the recent upload of libvirt 5.6.0 to unstable does not appear > to contain either version of the fix, which would be a prerequisite to > getting it incorporated into stable. > > As a side note: > > +libvirt (5.0.0-4.1) buster; urgency=medium > > The version there should "5.0.0-4+deb10u1" (indeed, there already was a > 5.0.0-4.1, to unstable in August). > > Regards, > > Adam > > libvirt_5.0.0-4+deb10u1.debdiff Description: Binary data
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Fixes CVE-2019-14857 (Open redirect in logout url when using URLs with backslashes) by improving validation of the post-logout URL parameter (backported from upstream, see https://salsa.debian.org/debian/libapache2-mod- auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (700, 'stable-updates'), (700, 'stable'), (60, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog --- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-01-29 21:40:30.0 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27 11:09:17.0 +0100 @@ -1,3 +1,10 @@ +libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium + + * Add patch for CVE-2019-14857 +(Closes: #942165) + + -- Moritz Schlarb Wed, 27 Nov 2019 11:09:17 +0100 + libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium * New upstream version 2.3.10.2 diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf --- libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-01-29 21:40:30.0 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-11-27 11:08:14.0 +0100 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = buster diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch --- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch 1970-01-01 01:00:00.0 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch 2019-11-27 11:08:14.0 +0100 @@ -0,0 +1,137 @@ +From: Moritz Schlarb +Date: Wed, 16 Oct 2019 10:53:49 +0200 +Subject: improve validation of the post-logout URL parameter on logout + +From https://github.com/zmartzone/mod_auth_openidc/compare/5c15dfb~1...v2.4.0.3 + +Fixes https://security-tracker.debian.org/tracker/CVE-2019-14857 +--- + src/mod_auth_openidc.c | 101 ++--- + 1 file changed, 63 insertions(+), 38 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 5b971d5..916d60d 100644 +--- a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +@@ -2938,6 +2938,61 @@ out: + return rc; + } + ++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, ++ char **err_str, char **err_desc) { ++ apr_uri_t uri; ++ const char *c_host = NULL; ++ ++ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ c_host = oidc_get_current_url_host(r); ++ if ((uri.hostname != NULL) ++ && ((strstr(c_host, uri.hostname) == NULL) ++ || (strstr(uri.hostname, c_host) == NULL))) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" does not match the hostname of the current request \"%s\"", ++ apr_uri_unparse(r->pool, &uri, 0), c_host); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++} else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { ++*err_str = apr_pstrdup(r->pool, "Malformed URL"); ++*err_desc = ++apr_psprintf(r->pool, ++
Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
On Wed, Nov 27, 2019 at 09:43:26AM +0100, Salvatore Bonaccorso wrote: > Hi Holger, > > On Tue, Nov 26, 2019 at 01:03:00PM +, Holger Levsen wrote: > > On Sun, Nov 24, 2019 at 08:27:40PM +, Adam D. Barratt wrote: > > > On Sun, 2019-11-24 at 18:42 +, Holger Levsen wrote: > > > > - or should debian-security-support follow the normal point release > > > > schedule, which AIUI currently has the unfortunate drawback that no > > > > stretch point release is planned anymore (??) > > > > > > Addressing just this point right now, I am not aware of any suggestion > > > that there will be no further point releases for stretch. > > > > > > There is not a planned date for 9.13 currently, but I'd expect that it > > > will be some time in January, alongside 10.3. 9.14 will likely be the > > > final point release before support moves over to LTS support, in mid- > > > 2020. > > > > ah, cool, thanks for this info. > > > > so then the question is: shall the debian-security-support package > > update, which informs the user that chromium doesnt have security > > support in stretch, wait til then, or does this warrant an update via > > stretch-updates or stretch-security? > > I think this does not warrant a separate DSA, We already had a DSA announcing Chromium EOL for stretch ( https://lists.debian.org/debian-security-announce/2019/msg00214.html), as such let's simply install an updated debian-security-support to stretch-security), no separate announcement needed. Cheers, Moritz
Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
Hi Holger, On Tue, Nov 26, 2019 at 01:03:00PM +, Holger Levsen wrote: > On Sun, Nov 24, 2019 at 08:27:40PM +, Adam D. Barratt wrote: > > On Sun, 2019-11-24 at 18:42 +, Holger Levsen wrote: > > > - or should debian-security-support follow the normal point release > > > schedule, which AIUI currently has the unfortunate drawback that no > > > stretch point release is planned anymore (??) > > > > Addressing just this point right now, I am not aware of any suggestion > > that there will be no further point releases for stretch. > > > > There is not a planned date for 9.13 currently, but I'd expect that it > > will be some time in January, alongside 10.3. 9.14 will likely be the > > final point release before support moves over to LTS support, in mid- > > 2020. > > ah, cool, thanks for this info. > > so then the question is: shall the debian-security-support package > update, which informs the user that chromium doesnt have security > support in stretch, wait til then, or does this warrant an update via > stretch-updates or stretch-security? I think this does not warrant a separate DSA, so I would say still as usual the point release route with option (if SRM agree!) to release it faster via *-updates. When known that a DSA will end-of-life a lower suite packages then we might release a debian-security-support along when installing the corresponding packages, but would say not a separate DSA to be issues. Regards, Salvatore