Bug#1033323: unblock: radsecproxy/1.9.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: radsecpr...@packages.debian.org Control: affects -1 + src:radsecproxy Please unblock package radsecproxy [ Reason ] Getting the new logcheck rules compatible with new rsyslog format into Debian Bookworm, preventing a regression on logcheck reporting. [ Impact ] logcheck ignore rules will no longer match, creating mails every hour if logcheck is used, regressing the behavior seen in Debian Bullseye. [ Tests ] No automated tests but the packages with the new rules have been running in production at my employer for the last 4 weeks, working correctly. [ Risks ] No risks involved, the core code of the daemon is unchanged from the 1.9.2-1 version, only the logcheck rules have changed. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] unblock radsecproxy/1.9.2-2 diff -Nru radsecproxy-1.9.2/debian/changelog radsecproxy-1.9.2/debian/changelog --- radsecproxy-1.9.2/debian/changelog 2023-02-16 14:28:15.0 +0100 +++ radsecproxy-1.9.2/debian/changelog 2023-03-06 16:39:08.0 +0100 @@ -1,3 +1,10 @@ +radsecproxy (1.9.2-2) unstable; urgency=medium + + * Improve logcheck patterns to reduce noise + * Make logcheck rules compatible with all syslog timestamp formats + + -- Sven Hartge Mon, 06 Mar 2023 16:39:08 +0100 + radsecproxy (1.9.2-1) unstable; urgency=medium * New upstream version 1.9.2 diff -Nru radsecproxy-1.9.2/debian/logcheck.ignore.server radsecproxy-1.9.2/debian/logcheck.ignore.server --- radsecproxy-1.9.2/debian/logcheck.ignore.server 2023-02-16 14:28:15.0 +0100 +++ radsecproxy-1.9.2/debian/logcheck.ignore.server 2023-03-06 16:39:08.0 +0100 @@ -1,3 +1,4 @@ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: (Accounting-Response|Access-(Accept|Reject)) for user [@._[:alnum:]-]+ (stationid [.:[:xdigit:]-]+ )?from [._[:alnum:]-]+( \([[:print:]]+\))? to [._[:alnum:]-]+ \([.:[:xdigit:]]+\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: Access-Accept \(response to Status-Server\) from [._[:alnum:]-]+ to [._[:alnum:]-]+ \([.:[:xdigit:]]+\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: replyh: got status server response from [._[:alnum:]-]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: (Accounting-Response|Access-(Accept|Reject)) for user [@._[:alnum:]-]+ (stationid [.:[:xdigit:]-]+ )?from [._[:alnum:]-]+( \([[:print:]]+\))? to [._[:alnum:]-]+ \([.:[:xdigit:]]+\)( operator [[:print:]]+)?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: Access-Accept \(response to Status-Server\) from [._[:alnum:]-]+ to [._[:alnum:]-]+ \([.:[:xdigit:]]+\)( operator [._[:alnum:]-]+)?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: replyh: got status server response from [._[:alnum:]-]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ radsecproxy\[[[:digit:]]+\]: missing response to Access-Request for user [@._[:alnum:]-]+ (stationid [.:[:xdigit:]-]+ )?from [._[:alnum:]-]+ \([.:[:xdigit:]]+\) to [._[:alnum:]-]+$
Bug#989177: unblock: radsecproxy/1.8.2-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package radsecproxy Version 1.8.2-4 fixes a minor CVE in some of the provided example helper scripts. There is no change to any other active code in radsecproxy itself. A full debdiff is attached. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock radsecproxy/1.8.2-4 diff -Nru radsecproxy-1.8.2/debian/changelog radsecproxy-1.8.2/debian/changelog --- radsecproxy-1.8.2/debian/changelog 2020-11-23 12:09:13.0 +0100 +++ radsecproxy-1.8.2/debian/changelog 2021-05-27 07:58:57.0 +0200 @@ -1,3 +1,9 @@ +radsecproxy (1.8.2-4) unstable; urgency=high + + * Fix CVE-2021-32642 + + -- Sven Hartge Thu, 27 May 2021 07:58:57 +0200 + radsecproxy (1.8.2-3) unstable; urgency=medium * Remove override for no longer existing lintian tag. diff -Nru radsecproxy-1.8.2/debian/gbp.conf radsecproxy-1.8.2/debian/gbp.conf --- radsecproxy-1.8.2/debian/gbp.conf 1970-01-01 01:00:00.0 +0100 +++ radsecproxy-1.8.2/debian/gbp.conf 2021-05-27 07:58:57.0 +0200 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = bullseye + diff -Nru radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 --- radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 1970-01-01 01:00:00.0 +0100 +++ radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 2021-05-27 07:58:57.0 +0200 @@ -0,0 +1,124 @@ +Author: Fabian Mauchle +Last-Update: 2021-05-04 +Description: add result validation to dyndisc example scripts + +Original Commit ab7a2ea42a75d5ad3421e4365f63cbdcb08fb7af Mon Sep 17 00:00:00 2001 +reported by Philipp Jeitner and Haya Shulman, Fraunhofer SIT + +--- + tools/naptr-eduroam.sh | 40 ++-- + tools/radsec-dynsrv.sh | 20 + 2 files changed, 42 insertions(+), 18 deletions(-) + +diff --git a/tools/naptr-eduroam.sh b/tools/naptr-eduroam.sh +index e310812..5402d18 100755 +--- a/tools/naptr-eduroam.sh b/tools/naptr-eduroam.sh +@@ -19,41 +19,53 @@ DIGCMD=$(command -v dig) + HOSTCMD=$(command -v host) + PRINTCMD=$(command -v printf) + ++validate_host() { ++ echo ${@} | tr -d '\n\t\r' | grep -E '^[_0-9a-zA-Z][-._0-9a-zA-Z]*$' ++} ++ ++validate_port() { ++ echo ${@} | tr -d '\n\t\r' | grep -E '^[0-9]+$' ++} ++ + dig_it_srv() { + ${DIGCMD} +short srv $SRV_HOST | sort -n -k1 | + while read line; do +- set $line ; PORT=$3 ; HOST=$4 +- $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++set $line ; PORT=$(validate_port $3) ; HOST=$(validate_host $4) ++if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then ++$PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++fi + done + } + + dig_it_naptr() { + ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k1 | + while read line; do +- set $line ; TYPE=$3 ; HOST=$6 +- if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then +- SRV_HOST=${HOST%.} +- dig_it_srv +- fi ++set $line ; TYPE=$3 ; HOST=$(validate_host $6) ++if ( [ "$TYPE" = "\"s\"" ] || [ "$TYPE" = "\"S\"" ] ) && [ -n "${HOST}" ]; then ++SRV_HOST=${HOST%.} ++dig_it_srv ++fi + done + } + + host_it_srv() { + ${HOSTCMD} -t srv $SRV_HOST | sort -n -k5 | + while read line; do +- set $line ; PORT=$7 ; HOST=$8 +- $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++set $line ; PORT=$(validate_port $7) ; HOST=$(validate_host $8) ++if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then ++$PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++fi + done + } + + host_it_naptr() { + ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k5 | + while read line; do +- set $line ; TYPE=$7 ; HOST=${10} +- if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then +- SRV_HOST=${HOST%.} +- host_it_srv +- fi ++set $line ; TYPE=$7 ; HOST=$(validate_host ${10}) ++if ( [ "$TYPE" = "\"s\"" ] || [ "$TYPE" = "\"S\"" ] ) && [ -n "${HOST}" ]; then ++SRV_HOST=${HOST%.} ++host_it_srv ++fi + done + } + +diff --git a/tools/radsec-dynsrv.sh b/tools/radsec-dynsrv.sh +index 2eff080..68bb5ba 100755 +--- a/tools/radsec-dynsrv.sh b/tools/radsec-dynsrv.sh +@@ -19,19 +19,31 @@ DIGCMD=$(command -v digaaa) + HOSTCMD=$(command -v host) + PRINTCMD=$(command -v printf
Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 30.03.2018 18:03, Julien Cristau wrote: > On Sun, Mar 4, 2018 at 11:08:00 +0100, Carsten Leonhardt wrote: > >> Control: tags -1 - moreinfo >> >> "Adam D. Barratt"writes: >> >>> - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG >>> + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG >>> >>> The first of those "-g" is presumably supposed to be "-u". I realise >>> this may seem a small point, but it does make me wonder how it wasn't >>> caught in testing. >> >> Thank you for your work and for catching this. A new version of the >> patch is attached. >> > This leaves open the question of how much was this tested. Can you > describe what has or hasn't been done there? I tested the proposed packages in a SysV-Init-based Debian Stretch VM. I can confirm every daemon runs as the user and group it is supposed to run as. root@debian-stretch:~# ps auwwx | grep [b]acula root 5101 0.0 0.2 66988 5512 ?Ssl 21:16 0:00 /usr/sbin/bacula-fd -u root -g root -c /etc/bacula/bacula-fd.conf bacula5175 0.0 0.2 130420 5384 ?Ssl 21:16 0:00 /usr/sbin/bacula-sd -u bacula -g tape -c /etc/bacula/bacula-sd.conf bacula5403 0.0 0.3 74728 6628 ?Ssl 21:20 0:00 /usr/sbin/bacula-dir -u bacula -g bacula -c /etc/bacula/bacula-dir.conf root@debian-stretch:~# ps -eo pid,comm,euser,supgrp | grep [b]acula 5101 bacula-fd root root 5175 bacula-sd bacula tape 5403 bacula-dir bacula tape,bacula I also checked why I did not notice the problem Adam spotted in the first place. I can only guess this happened because bacula-dir fell back to running as "root" when no "-u bacula" was specified, which made all my tests work as they should (because root has obviously no restrictions). The reason for this fallback is the Debian package does not specify a runtime user at build time. This was done in the past so that the runtime user can be chosen by the admin of the system. But since then we changed the packaging and got rid of this ability because in reality nobody was doing this anyway and it complicated the packaging. If the runtime user were set during package build, this problem would not have occurred because the parameters -u and -g wouldn't be needed in the first place. Grüße, Sven. signature.asc Description: OpenPGP digital signature
Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 03.03.2018 14:34, Adam D. Barratt wrote: > On Mon, 2018-02-26 at 13:14 +0100, Carsten Leonhardt wrote: >> here is a new version of the patch. I now additionally let >> bacula-common.preinst check for the existence of >> bacula-director-common.postrm and comment out the offending line if >> found (first chunk in the diff). I chose to use bacula-common because >> it >> is depended upon by all other bacula packages. >> >> I've also amended the text in the changelog, otherwise the rest of >> the >> patch is the same as the previous version. > > - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG > + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG > > The first of those "-g" is presumably supposed to be "-u". I realise > this may seem a small point, but it does make me wonder how it wasn't > caught in testing. This is embarrassing. You are of course right. I am sorry. Must have been a copy'n'waste error on my part. I'll prepare a fix for Sid and Stretch at once. As why this has not been caught during testing I need to investigate. I have a suspicion but I need to confirm it first. Grüße, Sven. signature.asc Description: OpenPGP digital signature
Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 03.03.2018 15:17, Sven Hartge wrote: > On 03.03.2018 14:34, Adam D. Barratt wrote: >> The first of those "-g" is presumably supposed to be "-u". I realise >> this may seem a small point, but it does make me wonder how it wasn't >> caught in testing. > > This is embarrassing. You are of course right. I am sorry. Must have > been a copy'n'waste error on my part. > > I'll prepare a fix for Sid and Stretch at once. I have pushed a fix to the master and stretch branches. > As why this has not been caught during testing I need to investigate. I > have a suspicion but I need to confirm it first. My suspicion was not true, but it shows an error in my testing procedure. It seems I only tested the systemd path and not the SysV-init one. Grüße, Sven. signature.asc Description: OpenPGP digital signature