Bug#1033323: unblock: radsecproxy/1.9.2-2

2023-03-22 Thread Sven Hartge 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: radsecpr...@packages.debian.org
Control: affects -1 + src:radsecproxy

Please unblock package radsecproxy

[ Reason ]
Getting the new logcheck rules compatible with new rsyslog format into
Debian Bookworm, preventing a regression on logcheck reporting.

[ Impact ]
logcheck ignore rules will no longer match, creating mails every hour if
logcheck is used, regressing the behavior seen in Debian Bullseye.

[ Tests ]
No automated tests but the packages with the new rules have been running
in production at my employer for the last 4 weeks, working correctly.

[ Risks ]
No risks involved, the core code of the daemon is unchanged from the
1.9.2-1 version, only the logcheck rules have changed.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]

unblock radsecproxy/1.9.2-2
diff -Nru radsecproxy-1.9.2/debian/changelog radsecproxy-1.9.2/debian/changelog
--- radsecproxy-1.9.2/debian/changelog  2023-02-16 14:28:15.0 +0100
+++ radsecproxy-1.9.2/debian/changelog  2023-03-06 16:39:08.0 +0100
@@ -1,3 +1,10 @@
+radsecproxy (1.9.2-2) unstable; urgency=medium
+
+  * Improve logcheck patterns to reduce noise
+  * Make logcheck rules compatible with all syslog timestamp formats
+
+ -- Sven Hartge   Mon, 06 Mar 2023 16:39:08 +0100
+
 radsecproxy (1.9.2-1) unstable; urgency=medium
 
   * New upstream version 1.9.2
diff -Nru radsecproxy-1.9.2/debian/logcheck.ignore.server 
radsecproxy-1.9.2/debian/logcheck.ignore.server
--- radsecproxy-1.9.2/debian/logcheck.ignore.server 2023-02-16 
14:28:15.0 +0100
+++ radsecproxy-1.9.2/debian/logcheck.ignore.server 2023-03-06 
16:39:08.0 +0100
@@ -1,3 +1,4 @@
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: 
(Accounting-Response|Access-(Accept|Reject)) for user [@._[:alnum:]-]+ 
(stationid [.:[:xdigit:]-]+ )?from [._[:alnum:]-]+( \([[:print:]]+\))? to 
[._[:alnum:]-]+ \([.:[:xdigit:]]+\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: 
Access-Accept \(response to Status-Server\) from [._[:alnum:]-]+ to 
[._[:alnum:]-]+ \([.:[:xdigit:]]+\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: replyh: 
got status server response from [._[:alnum:]-]+$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ 
radsecproxy\[[[:digit:]]+\]: (Accounting-Response|Access-(Accept|Reject)) for 
user [@._[:alnum:]-]+ (stationid [.:[:xdigit:]-]+ )?from [._[:alnum:]-]+( 
\([[:print:]]+\))? to [._[:alnum:]-]+ \([.:[:xdigit:]]+\)( operator 
[[:print:]]+)?$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ 
radsecproxy\[[[:digit:]]+\]: Access-Accept \(response to Status-Server\) from 
[._[:alnum:]-]+ to [._[:alnum:]-]+ \([.:[:xdigit:]]+\)( operator 
[._[:alnum:]-]+)?$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ 
radsecproxy\[[[:digit:]]+\]: replyh: got status server response from 
[._[:alnum:]-]+$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ 
radsecproxy\[[[:digit:]]+\]: missing response to Access-Request for user 
[@._[:alnum:]-]+ (stationid [.:[:xdigit:]-]+ )?from [._[:alnum:]-]+ 
\([.:[:xdigit:]]+\) to [._[:alnum:]-]+$

Bug#989177: unblock: radsecproxy/1.8.2-4

2021-05-27 Thread Sven Hartge 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package radsecproxy

Version 1.8.2-4 fixes a minor CVE in some of the provided example helper
scripts.

There is no change to any other active code in radsecproxy itself. A
full debdiff is attached.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock radsecproxy/1.8.2-4
diff -Nru radsecproxy-1.8.2/debian/changelog radsecproxy-1.8.2/debian/changelog
--- radsecproxy-1.8.2/debian/changelog  2020-11-23 12:09:13.0 +0100
+++ radsecproxy-1.8.2/debian/changelog  2021-05-27 07:58:57.0 +0200
@@ -1,3 +1,9 @@
+radsecproxy (1.8.2-4) unstable; urgency=high
+
+  * Fix CVE-2021-32642
+
+ -- Sven Hartge   Thu, 27 May 2021 07:58:57 +0200
+
 radsecproxy (1.8.2-3) unstable; urgency=medium
 
   * Remove override for no longer existing lintian tag.
diff -Nru radsecproxy-1.8.2/debian/gbp.conf radsecproxy-1.8.2/debian/gbp.conf
--- radsecproxy-1.8.2/debian/gbp.conf   1970-01-01 01:00:00.0 +0100
+++ radsecproxy-1.8.2/debian/gbp.conf   2021-05-27 07:58:57.0 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = bullseye
+
diff -Nru radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 
radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642
--- radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 1970-01-01 
01:00:00.0 +0100
+++ radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 2021-05-27 
07:58:57.0 +0200
@@ -0,0 +1,124 @@
+Author: Fabian Mauchle 
+Last-Update: 2021-05-04
+Description: add result validation to dyndisc example scripts
+
+Original Commit ab7a2ea42a75d5ad3421e4365f63cbdcb08fb7af Mon Sep 17 00:00:00 
2001
+reported by Philipp Jeitner and Haya Shulman, Fraunhofer SIT
+
+---
+ tools/naptr-eduroam.sh | 40 ++--
+ tools/radsec-dynsrv.sh | 20 
+ 2 files changed, 42 insertions(+), 18 deletions(-)
+
+diff --git a/tools/naptr-eduroam.sh b/tools/naptr-eduroam.sh
+index e310812..5402d18 100755
+--- a/tools/naptr-eduroam.sh
 b/tools/naptr-eduroam.sh
+@@ -19,41 +19,53 @@ DIGCMD=$(command -v dig)
+ HOSTCMD=$(command -v host)
+ PRINTCMD=$(command -v printf)
+ 
++validate_host() {
++ echo ${@} | tr -d '\n\t\r' | grep -E '^[_0-9a-zA-Z][-._0-9a-zA-Z]*$'
++}
++
++validate_port() {
++ echo ${@} | tr -d '\n\t\r' | grep -E '^[0-9]+$'
++}
++
+ dig_it_srv() {
+ ${DIGCMD} +short srv $SRV_HOST | sort -n -k1 |
+ while read line; do
+-  set $line ; PORT=$3 ; HOST=$4
+-  $PRINTCMD "\thost ${HOST%.}:${PORT}\n"
++set $line ; PORT=$(validate_port $3) ; HOST=$(validate_host $4)
++if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then
++$PRINTCMD "\thost ${HOST%.}:${PORT}\n"
++fi
+ done
+ }
+ 
+ dig_it_naptr() {
+ ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k1 
|
+ while read line; do
+-  set $line ; TYPE=$3 ; HOST=$6
+-  if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then
+-  SRV_HOST=${HOST%.}
+-  dig_it_srv
+-  fi
++set $line ; TYPE=$3 ; HOST=$(validate_host $6)
++if ( [ "$TYPE" = "\"s\"" ] || [ "$TYPE" = "\"S\"" ] ) && [ -n 
"${HOST}" ]; then
++SRV_HOST=${HOST%.}
++dig_it_srv
++fi
+ done
+ }
+ 
+ host_it_srv() {
+ ${HOSTCMD} -t srv $SRV_HOST | sort -n -k5 |
+ while read line; do
+-  set $line ; PORT=$7 ; HOST=$8 
+-  $PRINTCMD "\thost ${HOST%.}:${PORT}\n"
++set $line ; PORT=$(validate_port $7) ; HOST=$(validate_host $8) 
++if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then
++$PRINTCMD "\thost ${HOST%.}:${PORT}\n"
++fi
+ done
+ }
+ 
+ host_it_naptr() {
+ ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k5 |
+ while read line; do
+-  set $line ; TYPE=$7 ; HOST=${10}
+-  if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then
+-  SRV_HOST=${HOST%.}
+-  host_it_srv
+-  fi
++set $line ; TYPE=$7 ; HOST=$(validate_host ${10})
++if ( [ "$TYPE" = "\"s\"" ] || [ "$TYPE" = "\"S\"" ] ) && [ -n 
"${HOST}" ]; then
++SRV_HOST=${HOST%.}
++host_it_srv
++fi
+ done
+ }
+ 
+diff --git a/tools/radsec-dynsrv.sh b/tools/radsec-dynsrv.sh
+index 2eff080..68bb5ba 100755
+--- a/tools/radsec-dynsrv.sh
 b/tools/radsec-dynsrv.sh
+@@ -19,19 +19,31 @@ DIGCMD=$(command -v digaaa)
+ HOSTCMD=$(command -v host)
+ PRINTCMD=$(command -v printf

Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-03-30 Thread Sven Hartge 
On 30.03.2018 18:03, Julien Cristau wrote:
> On Sun, Mar  4, 2018 at 11:08:00 +0100, Carsten Leonhardt wrote:
> 
>> Control: tags -1 - moreinfo
>>
>> "Adam D. Barratt"  writes:
>>
>>> -   --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
>>> +   --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
>>>
>>> The first of those "-g" is presumably supposed to be "-u". I realise
>>> this may seem a small point, but it does make me wonder how it wasn't
>>> caught in testing.
>>
>> Thank you for your work and for catching this. A new version of the
>> patch is attached.
>>
> This leaves open the question of how much was this tested.  Can you
> describe what has or hasn't been done there?

I tested the proposed packages in a SysV-Init-based Debian Stretch VM. I
can confirm every daemon runs as the user and group it is supposed to
run as.

root@debian-stretch:~# ps auwwx | grep [b]acula
root  5101  0.0  0.2  66988  5512 ?Ssl  21:16   0:00
/usr/sbin/bacula-fd -u root -g root -c /etc/bacula/bacula-fd.conf
bacula5175  0.0  0.2 130420  5384 ?Ssl  21:16   0:00
/usr/sbin/bacula-sd -u bacula -g tape -c /etc/bacula/bacula-sd.conf
bacula5403  0.0  0.3  74728  6628 ?Ssl  21:20   0:00
/usr/sbin/bacula-dir -u bacula -g bacula -c /etc/bacula/bacula-dir.conf

root@debian-stretch:~# ps -eo pid,comm,euser,supgrp | grep [b]acula
 5101 bacula-fd   root root
 5175 bacula-sd   bacula   tape
 5403 bacula-dir  bacula   tape,bacula

I also checked why I did not notice the problem Adam spotted in the
first place. I can only guess this happened because bacula-dir fell back
to running as "root" when no "-u bacula" was specified, which made all
my tests work as they should (because root has obviously no restrictions).

The reason for this fallback is the Debian package does not specify a
runtime user at build time. This was done in the past so that the
runtime user can be chosen by the admin of the system.

But since then we changed the packaging and got rid of this ability
because in reality nobody was doing this anyway and it complicated the
packaging.

If the runtime user were set during package build, this problem would
not have occurred because the parameters -u and -g wouldn't be needed in
the first place.

Grüße,
Sven.




signature.asc
Description: OpenPGP digital signature

Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-03-03 Thread Sven Hartge 
On 03.03.2018 14:34, Adam D. Barratt wrote:
> On Mon, 2018-02-26 at 13:14 +0100, Carsten Leonhardt wrote:

>> here is a new version of the patch. I now additionally let
>> bacula-common.preinst check for the existence of
>> bacula-director-common.postrm and comment out the offending line if
>> found (first chunk in the diff). I chose to use bacula-common because
>> it
>> is depended upon by all other bacula packages.
>>
>> I've also amended the text in the changelog, otherwise the rest of
>> the
>> patch is the same as the previous version.
> 
> - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
> + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
> 
> The first of those "-g" is presumably supposed to be "-u". I realise
> this may seem a small point, but it does make me wonder how it wasn't
> caught in testing.

This is embarrassing. You are of course right. I am sorry. Must have
been a copy'n'waste error on my part.

I'll prepare a fix for Sid and Stretch at once.

As why this has not been caught during testing I need to investigate. I
have a suspicion but I need to confirm it first.

Grüße,
Sven.



signature.asc
Description: OpenPGP digital signature

Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-03-03 Thread Sven Hartge 
On 03.03.2018 15:17, Sven Hartge wrote:
> On 03.03.2018 14:34, Adam D. Barratt wrote:

>> The first of those "-g" is presumably supposed to be "-u". I realise
>> this may seem a small point, but it does make me wonder how it wasn't
>> caught in testing.
> 
> This is embarrassing. You are of course right. I am sorry. Must have
> been a copy'n'waste error on my part.
> 
> I'll prepare a fix for Sid and Stretch at once.

I have pushed a fix to the master and stretch branches.

> As why this has not been caught during testing I need to investigate. I
> have a suspicion but I need to confirm it first.

My suspicion was not true, but it shows an error in my testing
procedure. It seems I only tested the systemd path and not the SysV-init
one.

Grüße,
Sven.



signature.asc
Description: OpenPGP digital signature