Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Hi, On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote: > Control: tags -1 -confirmed +moreinfo > > Hi, > > On 2019-11-27 16:07, Guido Günther wrote: > > Hi Adam, > > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On 2019-11-27 13:05, Michal Arbet wrote: > > > > I've added a patch from upstream ( sid already included it in new > > > > version ). > > > > Check current debdiff in attachment. > > > > > > That looks OK, assuming it's been build- and runtime-tested on a > > > buster > > > system. > > > > It would be nice to coordinate such things with the package > > maintainers. I've had question's regarding these patches which weren't > > answered yet: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26 > > Apologies for that, we tend to assume that people making such requests > either work on the package or have had that co-ordination discussion > already. > > In this case I'll put the request on hold until we hear back. Thanks.I intend to look at the particular issue and fold it into the update with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036 which is still pending. -- Guido > > Regards, > > Adam >
Processed: Re: Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Processing control commands: > tags -1 -confirmed +moreinfo Bug #944294 [release.debian.org] buster-pu: package libvirt-daemon/5.0.0-4 Removed tag(s) confirmed. Bug #944294 [release.debian.org] buster-pu: package libvirt-daemon/5.0.0-4 Ignoring request to alter tags of bug #944294 to the same tags previously set -- 944294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944294 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Control: tags -1 -confirmed +moreinfo Hi, On 2019-11-27 16:07, Guido Günther wrote: Hi Adam, On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On 2019-11-27 13:05, Michal Arbet wrote: > I've added a patch from upstream ( sid already included it in new > version ). > Check current debdiff in attachment. That looks OK, assuming it's been build- and runtime-tested on a buster system. It would be nice to coordinate such things with the package maintainers. I've had question's regarding these patches which weren't answered yet: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26 Apologies for that, we tend to assume that people making such requests either work on the package or have had that co-ordination discussion already. In this case I'll put the request on hold until we hear back. Regards, Adam
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Hi Adam, On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2019-11-27 13:05, Michal Arbet wrote: > > I've added a patch from upstream ( sid already included it in new > > version ). > > Check current debdiff in attachment. > > That looks OK, assuming it's been build- and runtime-tested on a buster > system. It would be nice to coordinate such things with the package maintainers. I've had question's regarding these patches which weren't answered yet: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26 Cheers, -- Guido > > Regards, > > Adam
Bug#945592: buster-pu: package openstack-dashboard-apache/3:14.0.2-3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
Openstack-dashboard-apache package is used to configure apache2 to provide
openstack-dashboard (horizon) and also configure openstack-dashboard's webroot.
As upstream moved WEBROOT variable from local_settings.py to defaults.py, it has
to been overriden in /etc/openstack-dashboard/local_settings.d and
openstack-dashboard-apache
has to configure this variable and rebuild static files if needed.
This is now achieved by openstack-dashboard-apache which is calling trigger of
openstack-dashboard
when needed.
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru horizon-14.0.2/debian/changelog horizon-14.0.2/debian/changelog
--- horizon-14.0.2/debian/changelog 2019-03-25 21:44:52.0 +0100
+++ horizon-14.0.2/debian/changelog 2019-11-27 15:32:02.0 +0100
@@ -1,3 +1,9 @@
+horizon (3:14.0.2-3+deb10u1) buster; urgency=medium
+
+ * Fix change od WEBROOT in horizon
+
+ -- Michal Arbet Wed, 27 Nov 2019 15:32:02 +0100
+
horizon (3:14.0.2-3) unstable; urgency=medium
* openstack-dashboard: Add Breaks against obsolete packages from Stretch:
diff -Nru horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py
horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py
--- horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py
1970-01-01 01:00:00.0 +0100
+++ horizon-14.0.2/debian/local_settings.d/_0005_debian_webroot.py
2019-11-27 15:31:56.0 +0100
@@ -0,0 +1,2 @@
+# To specify path for webroot, set WEBROOT = "/webroot"
+WEBROOT = "/"
diff -Nru horizon-14.0.2/debian/openstack-dashboard-apache.postinst
horizon-14.0.2/debian/openstack-dashboard-apache.postinst
--- horizon-14.0.2/debian/openstack-dashboard-apache.postinst 2019-03-25
21:44:52.0 +0100
+++ horizon-14.0.2/debian/openstack-dashboard-apache.postinst 2019-11-27
15:31:56.0 +0100
@@ -2,6 +2,32 @@
set -e
+OS_WEBROOT_CONF_PATH="/etc/openstack-dashboard/local_settings.d/_0005_debian_webroot.py"
+
+# We need to check if WEBROOT config will be changed
+# If yes, we need to exec compress,collect_static.
+# If no, it isn't needed.
+
+change_webroot (){
+ WEBROOT=$1
+ # If WEBROOT config exist, compare it
+ if [ -e ${OS_WEBROOT_CONF_PATH} ]; then
+
+ CURRENT_WEBROOT=$(cat ${OS_WEBROOT_CONF_PATH} | grep ^WEBROOT
| sed -e 's/"*'\''*\ *//g' | awk -F '=' '{print $2}')
+
+ if [ "${CURRENT_WEBROOT}" = "${WEBROOT}" ]; then
+ echo "===> openstack-dashboard-apache: Webroot already
set."
+ echo "===> openstack-dashboard-apache: Rebuild static
not needed."
+else
+ sed -i "s|^[ \t]*WEBROOT[ \t]=.*|WEBROOT =
\"${WEBROOT}\"|" ${OS_WEBROOT_CONF_PATH}
+ echo "===> openstack-dashboard-apache: Setting
Horizon's webroot to ${WEBROOT}"
+ echo "===> openstack-dashboard-apache: Horizon's
webroot was changed, rebuild static is needed."
+ dpkg-trigger --no-await rebuild-static
+ fi
+ fi
+
+}
+
dpkg-maintscript-helper dir_to_symlink \
/usr/share/openstack-dashboard/static
/var/lib/openstack-dashboard/static 2:9.0.0~rc1-2 openstack-dashboard-apache --
"$@"
@@ -26,9 +52,11 @@
db_get horizon/activate_vhost
if [ "${RET}" = "true" ] && [ -x /etc/init.d/apache2 ] ; then
sed -i 's#[
\t]*HORIZON_ACTIVATE_VHOSTS=.*#HORIZON_ACTIVATE_VHOSTS=yes#'
/etc/default/openstack-dashboard-apache
+ # Set webroot to / in openstack-dashboard settings
+ change_webroot "/"
a2dissite 000-default.conf || true
a2dissite default-ssl.conf || true
- sed -i "s|^[ \t]*WEBROOT[ \t]=.*|WEBROOT = '/'|"
/etc/openstack-dashboard/local_settings.py
+
db_get horizon/use_ssl
if [ "${RET}" = "true" ] ; then
sed -i 's#[
\t]*HORIZON_USE_SSL=.*#HORIZON_USE_SSL=yes#'
/etc/default/openstack-dashboard-apache
@@ -52,44 +80,17 @@
else
ln -fs /var/lib/openstack-dashboard/static
/usr/share/openstack-dashboard/static
fi
- # Not needed in openstack-dashboard-apache
- # This is done in openstack-dashboard
- #if [ -f /usr/share/openstack-dashboard/manage.py ]; then
- # /usr/share/openstack-dashboard/manage.py collectstatic
--clear --noinput
-
Processed: Re: Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Processing control commands: > tags -1 + confirmed Bug #944294 [release.debian.org] buster-pu: package libvirt-daemon/5.0.0-4 Added tag(s) confirmed. -- 944294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944294 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Control: tags -1 + confirmed On 2019-11-27 13:05, Michal Arbet wrote: I've added a patch from upstream ( sid already included it in new version ). Check current debdiff in attachment. That looks OK, assuming it's been build- and runtime-tested on a buster system. Regards, Adam
Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4
Hello Adam, I've added a patch from upstream ( sid already included it in new version ). Check current debdiff in attachment. Thanks, Michal Arbet ( kevko ) so 9. 11. 2019 v 15:06 odesílatel Adam D. Barratt napsal: > Control: tags -1 + moreinfo > > On Thu, 2019-11-07 at 12:13 +0100, Michal Arbet wrote: > > I am facing the same issue in debian as it is reported in ubuntu > > launchpad bug > > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1825195 > > > > Could you please release new revision of libvirt to buster ? > > The Stable Release Team approve updates that are then uploaded by > Debian Developers; we don't directly update the packages. > > In this case, I have to admit to being a little confused by the > suggested change. The commit referenced in your patch was fairly > quickly superseded by > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=b12865260a0f24ab86ddaf3547b2f2e2c595d429 > , so that would seem the more sensible place to start with a backport. > > However, the recent upload of libvirt 5.6.0 to unstable does not appear > to contain either version of the fix, which would be a prerequisite to > getting it incorporated into stable. > > As a side note: > > +libvirt (5.0.0-4.1) buster; urgency=medium > > The version there should "5.0.0-4+deb10u1" (indeed, there already was a > 5.0.0-4.1, to unstable in August). > > Regards, > > Adam > > libvirt_5.0.0-4+deb10u1.debdiff Description: Binary data
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Fixes CVE-2019-14857 (Open redirect in logout url when using URLs with
backslashes) by improving validation of the post-logout URL parameter
(backported from upstream, see https://salsa.debian.org/debian/libapache2-mod-
auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (700, 'stable-updates'), (700, 'stable'), (60, 'testing'), (50,
'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
--- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-01-29
21:40:30.0 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27
11:09:17.0 +0100
@@ -1,3 +1,10 @@
+libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium
+
+ * Add patch for CVE-2019-14857
+(Closes: #942165)
+
+ -- Moritz Schlarb Wed, 27 Nov 2019 11:09:17 +0100
+
libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium
* New upstream version 2.3.10.2
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf
libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-01-29
21:40:30.0 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-11-27
11:08:14.0 +0100
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = buster
diff -Nru
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
---
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
1970-01-01 01:00:00.0 +0100
+++
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
2019-11-27 11:08:14.0 +0100
@@ -0,0 +1,137 @@
+From: Moritz Schlarb
+Date: Wed, 16 Oct 2019 10:53:49 +0200
+Subject: improve validation of the post-logout URL parameter on logout
+
+From https://github.com/zmartzone/mod_auth_openidc/compare/5c15dfb~1...v2.4.0.3
+
+Fixes https://security-tracker.debian.org/tracker/CVE-2019-14857
+---
+ src/mod_auth_openidc.c | 101 ++---
+ 1 file changed, 63 insertions(+), 38 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 5b971d5..916d60d 100644
+--- a/src/mod_auth_openidc.c
b/src/mod_auth_openidc.c
+@@ -2938,6 +2938,61 @@ out:
+ return rc;
+ }
+
++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char
*url,
++ char **err_str, char **err_desc) {
++ apr_uri_t uri;
++ const char *c_host = NULL;
++
++ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
++ *err_str = apr_pstrdup(r->pool, "Malformed URL");
++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s",
url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ }
++
++ c_host = oidc_get_current_url_host(r);
++ if ((uri.hostname != NULL)
++ && ((strstr(c_host, uri.hostname) == NULL)
++ || (strstr(uri.hostname, c_host) ==
NULL))) {
++ *err_str = apr_pstrdup(r->pool, "Invalid Request");
++ *err_desc =
++ apr_psprintf(r->pool,
++ "logout value \"%s\" does not
match the hostname of the current request \"%s\"",
++ apr_uri_unparse(r->pool, &uri,
0), c_host);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
++ *err_str = apr_pstrdup(r->pool, "Malformed URL");
++ *err_desc =
++ apr_psprintf(r->pool,
++ "No hostname was parsed and it
does not seem to be relative, i.e starting with '/': %s",
++ url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++} else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
++*err_str = apr_pstrdup(r->pool, "Malformed URL");
++*err_desc =
++apr_psprintf(r->pool,
++
Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
On Wed, Nov 27, 2019 at 09:43:26AM +0100, Salvatore Bonaccorso wrote: > Hi Holger, > > On Tue, Nov 26, 2019 at 01:03:00PM +, Holger Levsen wrote: > > On Sun, Nov 24, 2019 at 08:27:40PM +, Adam D. Barratt wrote: > > > On Sun, 2019-11-24 at 18:42 +, Holger Levsen wrote: > > > > - or should debian-security-support follow the normal point release > > > > schedule, which AIUI currently has the unfortunate drawback that no > > > > stretch point release is planned anymore (??) > > > > > > Addressing just this point right now, I am not aware of any suggestion > > > that there will be no further point releases for stretch. > > > > > > There is not a planned date for 9.13 currently, but I'd expect that it > > > will be some time in January, alongside 10.3. 9.14 will likely be the > > > final point release before support moves over to LTS support, in mid- > > > 2020. > > > > ah, cool, thanks for this info. > > > > so then the question is: shall the debian-security-support package > > update, which informs the user that chromium doesnt have security > > support in stretch, wait til then, or does this warrant an update via > > stretch-updates or stretch-security? > > I think this does not warrant a separate DSA, We already had a DSA announcing Chromium EOL for stretch ( https://lists.debian.org/debian-security-announce/2019/msg00214.html), as such let's simply install an updated debian-security-support to stretch-security), no separate announcement needed. Cheers, Moritz
Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
Hi Holger, On Tue, Nov 26, 2019 at 01:03:00PM +, Holger Levsen wrote: > On Sun, Nov 24, 2019 at 08:27:40PM +, Adam D. Barratt wrote: > > On Sun, 2019-11-24 at 18:42 +, Holger Levsen wrote: > > > - or should debian-security-support follow the normal point release > > > schedule, which AIUI currently has the unfortunate drawback that no > > > stretch point release is planned anymore (??) > > > > Addressing just this point right now, I am not aware of any suggestion > > that there will be no further point releases for stretch. > > > > There is not a planned date for 9.13 currently, but I'd expect that it > > will be some time in January, alongside 10.3. 9.14 will likely be the > > final point release before support moves over to LTS support, in mid- > > 2020. > > ah, cool, thanks for this info. > > so then the question is: shall the debian-security-support package > update, which informs the user that chromium doesnt have security > support in stretch, wait til then, or does this warrant an update via > stretch-updates or stretch-security? I think this does not warrant a separate DSA, so I would say still as usual the point release route with option (if SRM agree!) to release it faster via *-updates. When known that a DSA will end-of-life a lower suite packages then we might release a debian-security-support along when installing the corresponding packages, but would say not a separate DSA to be issues. Regards, Salvatore
