Re: Bug#1050256: autopkgtest fails on debci
Control: block 1038315 by -1 Control: block 1042880 by -1 I don't think we have a good understanding of the root cause of this issue. Initially we thought this was a known upstream issue with all- but very recent versions of apparmor and a corresponding lxc profile fix [0]. However, it appears this is a different issue that somehow depends on the interaction of bookworm's versions of the kernel, apparmor, and/or lxc. A minimal reproducer is to install bookworm and create a container with a systemd service using a hardening option like PrivateNetwork=yes. With the latest bookworm kernel (6.1.38-4), the service will fail. But, grab a kernel from testing (6.4.11-1) and then things work -- with no other changes required. I tried the "oldest" kernel on snapshot.d.o post 6.1 series (6.3.1+1~exp1 [1]) and the service works properly with that version as well. So, something changed in the kernel (either upstream or in Debian's packaging) between 6.1 and 6.3 that "unbreaks" services within lxc containers. Given that simply installing a newer kernel fixes things, I am hesitant to start making changes to lxc until we actually understand what's changed when running the newer kernel and how it's affecting lxc's behavior. On Thu, 2023-08-31 at 19:54 +0200, Christian Boltz wrote: > That said - the DENIED log entry translates to > > unix send type=dgram, > > You could try if adding this rule to the lxc-autopkgtest-lxc-iomhit_* > profile helps - but if the issue is really on the kernel side, my > hope is limited). I have tried tweaking the apparmor profile that's generated for containers (the relevant part is defined in the variable AA_PROFILE_UNIX_SOCKETS in src/lxc/lsm/apparmor.c), but haven't had any success in a workaround. I am not super familiar with apparmor, so maybe I'm not specifying things right, but I've previously tried the sort of rules Christian suggested, none of which have had any affect. On Fri, 2023-09-01 at 13:23 +0200, Michael Biebl wrote: > The only way to fix the container was to use the aforementioned > `lxc.apparmor.profile = unconfined`. > I think we should do that as the breakage is rather widespread and I > already see individual packages trying to work around that to at > least keep debci afloat. I strongly dislike the idea of blanketly disabling apparmor profiles by default for all lxc installs, since apparmor is one of the ways of helping to ensure isolation of containers. For the specific instance of debci, /etc/lxc/default.conf can be modified post-lxc install to change lxc.apparmor.profile from "generated" to "unconfined" for the time being. Mathias --- [0] -- https://github.com/lxc/lxc/issues/4333 [1] -- https://snapshot.debian.org/package/linux-signed-amd64/6.3.1%2B1~exp1/ signature.asc Description: This is a digitally signed message part
Bug#1041667: marked as done (transition: ffmpeg)
Your message dated Sat, 2 Sep 2023 00:20:25 +0200 with message-id and subject line Re: Bug#1041667: transition: ffmpeg has caused the Debian Bug report #1041667, regarding transition: ffmpeg to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1041667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041667 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: ffm...@packages.debian.org, sramac...@debian.org Control: affects -1 + src:ffmpeg Control: forwarded -1 https://release.debian.org/transitions/html/auto-ffmpeg.html Control: block -1 by 1041356 1041375 1041376 1041377 1041378 1041379 1041380 1041382 1041400 1041401 1041402 1041492 104193 1041504 1041505 1041506 1041507 1041636 1041637 1041666 1041664 1041665 Tracking bug for the ffmpeg 6.0 transition. I intend to upload ffmpeg 6.0 after the Qt 5 transition is done. Cheers -- Sebastian Ramacher --- End Message --- --- Begin Message --- On 2023-07-21 21:25:59 +0200, Sebastian Ramacher wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: ffm...@packages.debian.org, sramac...@debian.org > Control: affects -1 + src:ffmpeg > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-ffmpeg.html > Control: block -1 by 1041356 1041375 1041376 1041377 1041378 1041379 1041380 > 1041382 1041400 1041401 1041402 1041492 104193 1041504 1041505 1041506 > 1041507 1041636 1041637 1041666 1041664 1041665 > > Tracking bug for the ffmpeg 6.0 transition. I intend to upload ffmpeg > 6.0 after the Qt 5 transition is done. The old binaries got removed from testing. Closing. Cheers -- Sebastian Ramacher--- End Message ---
Processed: Re: Bug#1049982: bullseye-pu: package riemann-c-client/1.10.4-2+b2
Processing control commands: > retitle -1 bullseye-pu: package riemann-c-client/1.10.4-2+deb11u1 Bug #1049982 [release.debian.org] bullseye-pu: package riemann-c-client/1.10.4-2+b2 Changed Bug title to 'bullseye-pu: package riemann-c-client/1.10.4-2+deb11u1' from 'bullseye-pu: package riemann-c-client/1.10.4-2+b2'. > tag -1 - moreinfo Bug #1049982 [release.debian.org] bullseye-pu: package riemann-c-client/1.10.4-2+deb11u1 Removed tag(s) moreinfo. -- 1049982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049982 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1049982: bullseye-pu: package riemann-c-client/1.10.4-2+b2
Control: retitle -1 bullseye-pu: package riemann-c-client/1.10.4-2+deb11u1 Control: tag -1 - moreinfo signature.asc Description: PGP signature
Bug#1049988: bookworm-pu: package riemann-c-client/1.10.4-2
Control: retitle -1 bookworm-pu: package riemann-c-client/1.10.4-2+deb12u1 signature.asc Description: PGP signature
Processed: Re: Bug#1049988: bookworm-pu: package riemann-c-client/1.10.4-2
Processing control commands: > retitle -1 bookworm-pu: package riemann-c-client/1.10.4-2+deb12u1 Bug #1049988 [release.debian.org] bookworm-pu: package riemann-c-client/1.10.4-2 Changed Bug title to 'bookworm-pu: package riemann-c-client/1.10.4-2+deb12u1' from 'bookworm-pu: package riemann-c-client/1.10.4-2'. -- 1049988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049988 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1049988: bookworm-pu: package riemann-c-client/1.10.4-2
Control: tag -1 - moreinfo signature.asc Description: PGP signature
Processed: Re: Bug#1049988: bookworm-pu: package riemann-c-client/1.10.4-2
Processing control commands: > tag -1 - moreinfo Bug #1049988 [release.debian.org] bookworm-pu: package riemann-c-client/1.10.4-2 Ignoring request to alter tags of bug #1049988 to the same tags previously set -- 1049988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049988 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050974: binNMU: Rebuild against curl without NSS support
Hi, On 01-09-2023 14:25, Samuel Henrique wrote: These packages have a build dependency on the virtual package "libcurl4-dev", which is satisfiable by any variant of the curl binaries (openssl, gnutls, nss). Policy 7.5 [1] says that "To specify which of a set of real packages should be the default to satisfy a particular dependency on a virtual package, list the real package as an alternative before the virtual one." It's best practice to specify which real package should be used to avoid apt choosing it on the buildd. We had variation because of temporary non-installability in the past (IIRC), it's better to wait with building. I must admit I though the requirement was stronger and you *had to* specify a real package before a virtual build dependency. Paul [1] https://www.debian.org/doc/debian-policy/ch-relationships.html#virtual-packages-provides OpenPGP_signature.asc Description: OpenPGP digital signature
NEW changes in oldstable-new
Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_source.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_all-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_armel-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_i386-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: librsvg_2.50.3+dfsg-1+deb11u1_s390x-buildd.changes ACCEPT
Processed: your mail
Processing commands for cont...@bugs.debian.org: > block 1050591 by 1037213 Bug #1050591 [release.debian.org] bullseye-pu: package awstats/7.8-2+deb11u2 1050591 was blocked by: 1050384 1050591 was not blocking any bugs. Added blocking bug(s) of 1050591: 1037213 > block 1050384 by 1037213 Bug #1050384 [release.debian.org] bookworm-pu: package awstats/7.8-3+deb12u1 1050384 was not blocked by any bugs. 1050384 was blocking: 1050591 Added blocking bug(s) of 1050384: 1037213 > End of message, stopping processing here. Please contact me if you need assistance. -- 1050384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050384 1050591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050591 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 1049988
Processing commands for cont...@bugs.debian.org: > tags 1049988 - moreinfo Bug #1049988 [release.debian.org] bookworm-pu: package riemann-c-client/1.10.4-2 Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 1049988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049988 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Upcoming stable (12.2) and oldstable (11.8) point releases
The next point releases for "bookworm" (12.2) and "bullseye" (11.8) will take place on Saturday, October 7th 2023. Processing of new uploads into the relevant queues will be frozen the preceding weekend. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 signature.asc Description: PGP signature
Bug#1051051: bullseye-pu: package rustc-mozilla/1.63.0+dfsg1-2~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: team+pkg-mozi...@tracker.debian.org Hi, The time has come for a new Firefox / Thunderbird ESR release in *stable. This will require rustc/cargo/cbindgen backports as usual. For bookworm we're in a good shape for this update, but for bullseye and buster we'll need all three updates. For rustc-mozilla, I've used the version from bookworm. Hopefully I got all the stage0 binaries this time. Risk is low as this package is only used to build FF/TB. I have successfully built the whole chain up to FF 115 ESR on amd64. I'm attaching a diff from rustc_1.63/bookworm to the proposed update. I don't think there's much value in a 1.59->1.63 diff, but if you want it say so and I'll prepare one. Thanks, Emilio diff -ruNp debian.rustc/changelog debian/changelog --- debian.rustc/changelog 2023-01-14 09:38:46.0 +0100 +++ debian/changelog2023-07-28 13:44:06.0 +0200 @@ -1,3 +1,13 @@ +rustc-mozilla (1.63.0+dfsg1-2~deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Backport to bullseye as rustc-mozilla. + * Do a bootstrap build. + * Disable wasm. + * Disable new binary packages rustfmt, -clippy, -all. + + -- Emilio Pozuelo Monfort Fri, 28 Jul 2023 13:44:06 +0200 + rustc (1.63.0+dfsg1-2) unstable; urgency=medium [ Fabian Grünbichler ] diff -ruNp debian.rustc/control debian/control --- debian.rustc/control2023-01-14 09:38:46.0 +0100 +++ debian/control 2023-07-28 13:44:06.0 +0200 @@ -1,4 +1,4 @@ -Source: rustc +Source: rustc-mozilla Section: devel Priority: optional Maintainer: Debian Rust Maintainers @@ -12,14 +12,14 @@ Build-Depends: debhelper-compat (= 13), dpkg-dev (>= 1.17.14), python3:native, - cargo:native (>= 0.60.0) , - rustc:native (>= 1.62.0+dfsg) , - rustc:native (<= 1.63.0++), - llvm-14-dev:native, - llvm-14-tools:native, +# cargo:native (>= 0.60.0) , +# rustc:native (>= 1.62.0+dfsg) , +# rustc:native (<= 1.63.0++), + llvm-13-dev:native, + llvm-13-tools:native, gcc-mingw-w64-x86-64-posix:native [amd64] , gcc-mingw-w64-i686-posix:native [i386] , - libllvm14 (>= 1:14.0.0), + libllvm13 (>= 1:13.0.0), cmake (>= 3.0) | cmake3, # needed by some vendor crates pkg-config, @@ -38,30 +38,32 @@ Build-Depends: curl , ca-certificates , Build-Depends-Indep: - wasi-libc (>= 0.0~git20220510.9886d3d~~) , - wasi-libc (<= 0.0~git20220510.9886d3d++) , - clang-14:native, +# wasi-libc (>= 0.0~git20220510.9886d3d~~) , +# wasi-libc (<= 0.0~git20220510.9886d3d++) , + clang-13:native, Build-Conflicts: gdb-minimal Standards-Version: 4.2.1 Homepage: http://www.rust-lang.org/ Vcs-Git: https://salsa.debian.org/rust-team/rust.git Vcs-Browser: https://salsa.debian.org/rust-team/rust -Package: rustc +Package: rustc-mozilla Architecture: any Multi-Arch: allowed Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, - libstd-rust-dev (= ${binary:Version}), + libstd-rust-mozilla-dev (= ${binary:Version}), gcc, libc-dev, binutils (>= 2.26) Recommends: cargo (>= 0.64.0~~), cargo (<< 0.65.0~~), # llvm is needed for llvm-dwp for -C split-debuginfo=packed - llvm-14, + llvm-13, Suggests: # lld and clang are needed for wasm compilation - lld-14, clang-14, -Replaces: libstd-rust-dev (<< 1.25.0+dfsg1-2~~) + lld-13, clang-13, +Conflicts: rustc +Provides: rustc (= ${binary:Version}) +Replaces: libstd-rust-dev (<< 1.25.0+dfsg1-2~~), rustc Breaks: libstd-rust-dev (<< 1.25.0+dfsg1-2~~) Description: Rust systems programming language Rust is a curly-brace, block-structured expression language. It @@ -76,7 +78,7 @@ Description: Rust systems programming la generic programming and meta-programming, in both static and dynamic styles. -Package: libstd-rust-1.63 +Package: libstd-rust-mozilla-1.63 Section: libs Architecture: any Multi-Arch: same @@ -98,12 +100,12 @@ Description: Rust standard libraries This package contains the standard Rust libraries, built as dylibs, needed to run dynamically-linked Rust programs (-C prefer-dynamic). -Package: libstd-rust-dev +Package: libstd-rust-mozilla-dev Section: libdevel Architecture: any Multi-Arch: same Depends: ${shlibs:Depends}, ${misc:Depends}, - libstd-rust-1.63 (= ${binary:Version}), + libstd-rust-mozilla-1.63 (= ${binary:Version}), Description: Rust standard libraries - development files Rust is a curly-brace, block-structured expression language. It visually resembles the C language family, but differs significantly @@ -121,7 +123,7 @@ Description: Rust standard libraries - d needed to compile Rust programs. It may also be installed on a system of another host architecture, for cross-compiling to this architecture. -Package: libstd-rust-dev-windows +Package: libstd-rust-mozilla-dev-windows Section: libdevel Architecture: amd64 i386 Multi-Arch: same @@ -129,6 +131,7 @@ Depends:
Re: [pkg-apparmor] Bug#1050256: autopkgtest fails on debci
Am 01.09.23 um 13:23 schrieb Michael Biebl: The only way to fix the container was to use the aforementioned `lxc.apparmor.profile = unconfined`. I think we should do that as the breakage is rather widespread and I already see individual packages trying to work around that to at least keep debci afloat. See e.g.: https://salsa.debian.org/systemd-team/systemd/-/merge_requests/211 https://salsa.debian.org/debian/pdns/-/commit/637e54ef73386541086da430553b82db78266bac or disabling the systemd hardening options completely_ https://salsa.debian.org/utopia-team/polkit/-/blob/master/debian/patches/debian/Don-t-use-PrivateNetwork-yes-for-the-systemd-unit.patch This is not a good outcome of this and the problem will become more apparent with debci running on bookworm now. I went ahead and submitted https://salsa.debian.org/lxc-team/lxc/-/merge_requests/18 since I don't see another solution atm. Looping in the release team as well for their input. Regards, Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Processed: binNMU: Rebuild against curl without NSS support
Processing control commands: > tags -1 - moreinfo Bug #1050976 [release.debian.org] nmu: llvm-toolchain-15_1:15.0.7-8 Ignoring request to alter tags of bug #1050976 to the same tags previously set -- 1050976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050976 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: binNMU: Rebuild against curl without NSS support
Processing control commands: > tags -1 - moreinfo Bug #1050977 [release.debian.org] nmu: eg25-manager_0.4.6-1 Ignoring request to alter tags of bug #1050977 to the same tags previously set -- 1050977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: binNMU: Rebuild against curl without NSS support
Processing control commands: > tags -1 - moreinfo Bug #1050974 [release.debian.org] nmu: llvm-toolchain-14_1:14.0.6-13 Removed tag(s) moreinfo. -- 1050974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050974: binNMU: Rebuild against curl without NSS support
Control: tags -1 - moreinfo Hello Sebastian, I'm sending this same response to all 3 bugs related to this. > Why does that require rebuilds? These packages have a build dependency on the virtual package "libcurl4-dev", which is satisfiable by any variant of the curl binaries (openssl, gnutls, nss). Our current builds ended up linking against the nss variant, so now that we've dropped that, a rebuild is needed for the packages to pick either openssl or gnutls. Related bugs: Main one where I'm tracking all changes: libcurl4-nss-dev: NSS support will be dropped in August 2023 https://bugs.debian.org/1038907 Bugs against the packages I'm requesting the binNMUs: llvm-toolchain-14: links against libcurl3-nss which will be dropped in August 2023 https://bugs.debian.org/1043550 llvm-toolchain-15: links against libcurl3-nss which will be dropped in August 2023 https://bugs.debian.org/1043551 eg25-manager: build-depends on deprecated libcurl4-nss-dev, will be dropped in August 2023 https://bugs.debian.org/1043547 Thank you, -- Samuel Henrique
Processed: retitle 1051024 bookworm-pu: package igtf-policy-bundle/1.122-1~deb12u1
Processing commands for cont...@bugs.debian.org: > retitle 1051024 bookworm-pu: package igtf-policy-bundle/1.122-1~deb12u1 Bug #1051024 [release.debian.org] bookworm-pu: package igtf-policy-bundle/1.22-1~deb12u1 Changed Bug title to 'bookworm-pu: package igtf-policy-bundle/1.122-1~deb12u1' from 'bookworm-pu: package igtf-policy-bundle/1.22-1~deb12u1'. > End of message, stopping processing here. Please contact me if you need assistance. -- 1051024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051024 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1051024: bookworm-pu: package igtf-policy-bundle/1.22-1~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: igtf-policy-bun...@packages.debian.org Control: affects -1 + src:igtf-policy-bundle [ Reason ] The IGTF bundle provides important trust anchors for the Research and Education communities. Both for reliance on the identity of servers for compute and storage services, as well as user identification based on personal certificates. A recent change in the rules for S/MIME certificates[1] has urged a change in the profiles for end user and robot certificates, effectively by 28 August 2023. Relying parties who need to authenticate users should install this update as soon as possible. 1. https://cabforum.org/smime-br/ More details about the change can be found on the web page of the upstream maintainer[2]. 2. https://www.nikhef.nl/~davidg/tcsg4/GEANT-TCSG4-private-CA-extension-20230712.pdf [ Impact ] Normally I would not propose to update the package in Debian stable but this change may break authentication for some users. They could install the package from unstable or backports (if available). [ Tests ] I normally install the packages on my own systems to try out that they work. Since the deployment is relatively straightforward there is rarely an issue. [ Risks ] There are no code changes between versions, it should be safe (in fact, recommended) to always install the latest version of the bundle. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] See the upstream CHANGES file (or d/changelog).
Processed: bookworm-pu: package igtf-policy-bundle/1.22-1~deb12u1
Processing control commands: > affects -1 + src:igtf-policy-bundle Bug #1051024 [release.debian.org] bookworm-pu: package igtf-policy-bundle/1.22-1~deb12u1 Added indication that 1051024 affects src:igtf-policy-bundle -- 1051024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051024 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1050974: nmu: llvm-toolchain-14_1:14.0.6-13
Processing control commands: > tags -1 moreinfo Bug #1050974 [release.debian.org] nmu: llvm-toolchain-14_1:14.0.6-13 Added tag(s) moreinfo. -- 1050974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050974: nmu: llvm-toolchain-14_1:14.0.6-13
Control: tags -1 moreinfo On 2023-08-31 23:25:50 +0100, Samuel Henrique wrote: > Package: release.debian.org > Control: affects -1 + src:llvm-toolchain-14 > X-Debbugs-Cc: llvm-toolchain...@packages.debian.org > User: release.debian@packages.debian.org > Usertags: binnmu > X-Debbugs-Cc: samuel...@debian.org > Severity: normal > > nmu llvm-toolchain-14_1:14.0.6-13 . all amd64 arm64 armel armhf i386 > mips64el ppc64el s390x hurd-i386 sparc64 . unstable . -m "Rebuild > against curl without NSS support" Why does that require rebuilds? Cheers -- Sebastian Ramacher
Bug#1050997: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Version 2.17.0 of lemonldap-ng fixes two low-level security issues: * the "login" security regex wasn't applied when using AuthSlave * lemonldap-ng portal can be used as open-redirection due to incorrect escape handling This proposal includes these 2 patches for Bookworm [ Impact ] Low security issues [ Tests ] Test updated, passed both with autopkgtest and build [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * check if login value respects the config when login comes from AuthSlave * Sanitize URLs used in redirections * Tests Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 8de0d083f..268c0d993 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u1) UNRELEASED; urgency=medium + + * Apply login control to auth-slave requests + * Fix open redirection due to incorrect escape handling + + -- Yadd Fri, 01 Sep 2023 10:11:50 +0400 + lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium * Fix incorrect parsing of OP-provided acr diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml index 33c3a640d..756ccd252 100644 --- a/debian/gitlab-ci.yml +++ b/debian/gitlab-ci.yml @@ -1,4 +1,6 @@ --- +variables: + RELEASE: 'bookworm' include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff --git a/debian/patches/apply-user-control-to-authslave.patch b/debian/patches/apply-user-control-to-authslave.patch new file mode 100644 index 0..df0ceca39 --- /dev/null +++ b/debian/patches/apply-user-control-to-authslave.patch @@ -0,0 +1,83 @@ +Description: [Security] apply user-control to authSlave +Author: Christophe Maudoux +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946 +Forwarded: not-needed +Applied-Upstream: 2.17.0, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351 +Reviewed-By: Yadd +Last-Update: 2023-09-01 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm +@@ -8,6 +8,7 @@ + PE_OK + PE_FORBIDDENIP + PE_USERNOTFOUND ++ PE_MALFORMEDUSER + ); + + our $VERSION = '2.0.12'; +@@ -37,11 +38,15 @@ + $user_header = 'HTTP_' . uc($user_header); + $user_header =~ s/\-/_/g; + +-unless ( $req->{user} = $req->env->{$user_header} ) { ++unless ( $req->env->{$user_header} ) { + $self->userLogger->error( + "No header " . $self->conf->{slaveUserHeader} . " found" ); + return PE_USERNOTFOUND; + } ++return PE_MALFORMEDUSER ++ unless ( $req->env->{$user_header} =~ /$self->{conf}->{userControl}/o ); ++ ++$req->{user} = $req->env->{$user_header}; + return PE_OK; + } + +--- a/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t b/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t +@@ -2,7 +2,7 @@ + use Test::More; + use strict; + use JSON; +-use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND); ++use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND PE_MALFORMEDUSER); + + require 't/test-lib.pm'; + +@@ -17,6 +17,7 @@ + securedCookie => 3, + authentication => 'Slave', + userDB => 'Same', ++userControl=> '^\w{4}$', + slaveUserHeader=> 'My-Test', + slaveHeaderName=> 'Check-Slave', + slaveHeaderContent => 'Password', +@@ -91,6 +92,27 @@ + or explain( $json, "error => 4" ); + count(4); + ++# Good credentials with an unauthorized login ++ok( ++$res = $client->_get( ++'/', ++ip => '127.0.0.1', ++custom => { ++HTTP_MY_TEST => 'dwhoo', ++HTTP_NAME=> 'Dr Who', ++HTTP_CHECK_SLAVE => 'Password', ++} ++ ++), ++'Auth query' ++); ++ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 ); ++ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' ) ++ or print STDERR "$@\n" . Dumper($res); ++ok( $json->{error} == PE_MALFORMEDUSER, 'Response is PE_MALFORMEDUSER' ) ++ or explain( $json, "error => 40" ); ++count(4); ++ + # Good credentials with acredited IP + ok( + $res = $client->_get( diff --git a/debian/patches/fix-open-redirection.patch b/debian/patches/fix-open-redirection.patch new file mode 100644 index 0..96850a2a4
Processed: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1
Processing control commands: > affects -1 + src:lemonldap-ng Bug #1050997 [release.debian.org] bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1 Added indication that 1050997 affects src:lemonldap-ng -- 1050997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050997 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems