Your message dated Fri, 28 Oct 2016 20:11:48 +0000
with message-id <e1c0dve-0000ad...@franck.debian.org>
and subject line Bug#842276: fixed in nginx 1.6.2-5+deb8u4
has caused the Debian Bug report #842276,
regarding nginx-common.config dpkg --compare-versions will mishandle return
codes should the check fail
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
842276: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842276
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nginx
Severity: serious
Version: 1.6.2-5+deb8u3
This was originally identified as a result of my own failure downstream
in Ubuntu when applying the patches from Debian for CVE-2016-1247.
One of the things added was nginx-common.config. In this, the following
set of code exists:
log_symlinks_check() {
# Skip new installations
[ -z "$1" ] && return
# Skip unaffected installations
dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return
# Check for unsecure symlinks
linked_logfiles="` find "$logdir" -type l -user www-data -name
'*.log' `"
# Skip if nothing is found
[ -z "$linked_logfiles" ] && return
db_subst nginx/log-symlinks logfiles $linked_logfiles
db_input high nginx/log-symlinks || true
db_go || true
}
This line will break all future version upgrades:
dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return
What happens here is, say that the package is updated, and we have
+deb8u4 then. Let's examine the error code we get from this:
teward@debian:~$ dpkg --compare-versions 1.6.2-5+deb8u4 lt-nl
1.6.2-5+deb8u3; echo $?
1
This error code is caught by `dpkg` and will ultimately die off with a
failure code, like this (NOTE: +deb8u4 was a 'fake' package created by
me from the nginx source code that has no changes between +deb8u3, it
was just used to test the version bump issue):
teward@debian:~$ sudo dpkg -i ./nginx-common_1.6.2-5+deb8u4_all.deb
(Reading database ... 29849 files and directories currently installed.)
Preparing to unpack .../nginx-common_1.6.2-5+deb8u4_all.deb ...
Unpacking nginx-common (1.6.2-5+deb8u4) over (1.6.2-5+deb8u3) ...
Setting up nginx-common (1.6.2-5+deb8u4) ...
dpkg: error processing package nginx-common (--install):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (215-17+deb8u5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Errors were encountered while processing:
nginx-common
This prevents clean package updates.
The fix implemented downstream, considered a Security Regression update
in Ubuntu, was to change the line referenced above to the following:
dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return 0
This will force an "OK" status code when the version check fails, and
permit updating.
Please update this ASAP, *long before* we have to deal with this as a
core problem in the package.
------
Thomas
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.6.2-5+deb8u4
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 842...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Oct 2016 20:22:42 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light
nginx-light-dbg nginx-extras nginx-extras-dbg
Architecture: all source
Version: 1.6.2-5+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Kartik Mistry <kar...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 842276
Description:
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-extras-dbg - nginx web/proxy server (extended version) - debugging
symbols
nginx-full - nginx web/proxy server (standard version)
nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
nginx-light - nginx web/proxy server (basic version)
nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
Changes:
nginx (1.6.2-5+deb8u4) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/nginx-common.config: fix return code so script doesn't exit.
Thanks to Marc Deslauriers and Thomas Ward (Closes: #842276)
Checksums-Sha1:
463ec59d8c9e45f8229cf88b71fb36ff7b36d949 3091 nginx_1.6.2-5+deb8u4.dsc
7f1f64beb538c7c7b84e3f631315640e30a4c511 611216
nginx_1.6.2-5+deb8u4.debian.tar.xz
207d5faa60c16a298feac6525bc936c8fd938ed2 72596 nginx_1.6.2-5+deb8u4_all.deb
a50f9cc253e5b699605e4e9953cfdfe262c8f4ae 84096 nginx-doc_1.6.2-5+deb8u4_all.deb
4a0c381ba3ec510c5112af3873f06c19c8cf11b7 88058
nginx-common_1.6.2-5+deb8u4_all.deb
Checksums-Sha256:
14a323895d9fab5faf443957a13f8345c72cbeb023e9aef6dccac73331abf3ed 3091
nginx_1.6.2-5+deb8u4.dsc
5d56e3dadb385d7d63b18378cbc70e94109284a9ac310004f6cd3b7d6a85dbcf 611216
nginx_1.6.2-5+deb8u4.debian.tar.xz
86e65be6bfd63acbbe1fb709b54d1c3b5469e7b51f1fbf722d7f4a416561acda 72596
nginx_1.6.2-5+deb8u4_all.deb
edbe85117a443f3538a33a01782f6a1d79a02053bdc73a8bb8416a34a34ff650 84096
nginx-doc_1.6.2-5+deb8u4_all.deb
056df0a0157eddf3f95d8764b6ffabbd423f3d75edc9e82ae3187b8104efb0e5 88058
nginx-common_1.6.2-5+deb8u4_all.deb
Files:
b5b226318cc0a03d6d561229fb37ab28 3091 httpd optional nginx_1.6.2-5+deb8u4.dsc
419f1c183ea04817ddfe2a034656c133 611216 httpd optional
nginx_1.6.2-5+deb8u4.debian.tar.xz
15ee34d7cbf04e4bc524576467416334 72596 httpd optional
nginx_1.6.2-5+deb8u4_all.deb
44fbb705f85d3c2f7ea958e5e71ebe8e 84096 doc optional
nginx-doc_1.6.2-5+deb8u4_all.deb
82c0e448ee8689bc5d5b8341c7749f8d 88058 httpd optional
nginx-common_1.6.2-5+deb8u4_all.deb
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJYEkjSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRPjd
D/0RETceaowbPpEeOo73A8GaBcaU7RW+DkUlxhoM4lo2dyZIQH7G1RuIM0VYeqRr
8kg7HLx+5K1apELuC2ii7oFKBWvAZFxYtD9bu6nqBHCCcwpZLtw4EZmEZpmN+c3m
vLT15wrboBLPfUCSDquf/kz2zzZGurXeLoPmqyl1P4MPJ/tOVwfnL3hzzqa2IaGJ
W7gUcTHJcPYGHQrPuEWktwMJc5T2xLdEPSByxxGrFfCKKUwj+AALiXVGQ2PsMgSD
VD0B33DyhNK2trEghrs4k2VMZl5WuZRzz5XrFbO925VkPvkoZDlPbpvHAvitGr+6
aVHX4oHxhd4SM05TFRAELcL5uOP90d1MfbfDohYzdWROkvzA3msShfAmrfTvBi95
EASR9C0HP/KP+lFGxN4lPT9Pd6EDpaQLzdz+hi64WOhBUbVU+0JMXv1DFEYn0aBR
KhJlw0rEvXQi3uHXT7SKvZBWvSCUnbAS5Tdp6/4K1XIZn+bP+6U6ycCpUbzJl8R1
nQm/xUaI8oxG5x8AzoH9iFndqezUTc8azDPOGGsk7yp8srFTAoT8tB/eu3bIl7AR
W2CLcCMmvNTdZEpqrehYVZivp7a4um4JIDue4kcXKOxrp/4qiHINqDNlOqxZwCtd
cnDh2E2SqYGVMRmg7Gg33968nCeyp3RM0ATj7KtKE9d0NQ==
=Cdwz
-----END PGP SIGNATURE-----
--- End Message ---
