Bug#868106: jessie-pu: package rkhunter/1.4.2-0.4

2017-07-16 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2017-07-15 at 11:44 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2017-07-11 at 20:20 -0700, Francois Marier wrote:
> > This is an update for a security issue that is not going to get a DSA:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2017-7480
> > 
> > Attached is the debdiff against the version in stable.
> 
> This also didn't make it to debian-release for some reason.
> 
> A changelog distribution of "jessie" would be preferred over
> "oldstable".
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#868106: jessie-pu: package rkhunter/1.4.2-0.4

2017-07-15 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2017-07-11 at 20:20 -0700, Francois Marier wrote:
> This is an update for a security issue that is not going to get a DSA:
> 
> https://security-tracker.debian.org/tracker/CVE-2017-7480
> 
> Attached is the debdiff against the version in stable.

This also didn't make it to debian-release for some reason.

A changelog distribution of "jessie" would be preferred over
"oldstable".

Please go ahead.

Regards,

Adam

Bug#868106: jessie-pu: package rkhunter/1.4.2-0.4

2017-07-11 Thread Francois Marier 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is an update for a security issue that is not going to get a DSA:

https://security-tracker.debian.org/tracker/CVE-2017-7480

Attached is the debdiff against the version in stable.

Francois
diff -Nru rkhunter-1.4.2/debian/changelog rkhunter-1.4.2/debian/changelog
--- rkhunter-1.4.2/debian/changelog	2014-11-28 03:27:20.0 -0800
+++ rkhunter-1.4.2/debian/changelog	2017-07-11 20:17:19.0 -0700
@@ -1,3 +1,10 @@
+rkhunter (1.4.2-0.4+deb8u1) oldstable; urgency=high
+
+  * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
+it in the future (closes: #765895, #866677)
+
+ -- Francois Marier   Tue, 11 Jul 2017 20:17:08 -0700
+
 rkhunter (1.4.2-0.4) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru rkhunter-1.4.2/debian/patches/06_disable-updates.diff rkhunter-1.4.2/debian/patches/06_disable-updates.diff
--- rkhunter-1.4.2/debian/patches/06_disable-updates.diff	1969-12-31 16:00:00.0 -0800
+++ rkhunter-1.4.2/debian/patches/06_disable-updates.diff	2017-07-11 20:17:19.0 -0700
@@ -0,0 +1,44 @@
+Description: Disable all remote updates
+Author: Christoph Anton Mitterer 
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895
+Forwarded: not-needed
+Last-Update: 2017-07-05
+
+--- a/files/rkhunter.conf
 b/files/rkhunter.conf
+@@ -104,7 +104,7 @@
+ #
+ # The default value is '1'.
+ #
+-#UPDATE_MIRRORS=1
++UPDATE_MIRRORS=0
+ 
+ #
+ # The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
+@@ -119,7 +119,7 @@
+ #
+ # The default value is '0'.
+ #
+-#MIRRORS_MODE=0
++MIRRORS_MODE=1
+ 
+ #
+ # Email a message to this address if a warning is found when the system is
+@@ -221,7 +221,7 @@ SCRIPTDIR=/usr/share/rkhunter/scripts
+ # The default value is the null string, indicating that all the language files
+ # will be updated.
+ #
+-#UPDATE_LANG=""
++UPDATE_LANG="en"
+ 
+ #
+ # This option specifies the log file pathname. The file will be created if it
+@@ -1131,7 +1131,7 @@ SCRIPTWHITELIST=/usr/sbin/adduser
+ #
+ # This option has no default value.
+ #
+-#WEB_CMD=""
++WEB_CMD="/bin/false"
+ 
+ #
+ # Set the following option to '1' if locking is to be used when rkhunter runs.
diff -Nru rkhunter-1.4.2/debian/patches/series rkhunter-1.4.2/debian/patches/series
--- rkhunter-1.4.2/debian/patches/series	2014-11-28 03:27:20.0 -0800
+++ rkhunter-1.4.2/debian/patches/series	2017-07-11 20:17:19.0 -0700
@@ -1,4 +1,5 @@
 05_custom_conffile.diff
+06_disable-updates.diff
 10_fix-man.diff
 15_remove-empty-dir.diff
 20_fix-ipcs-language.diff