Hello,
I think this commit [1] (3.17.0) introduced a security problem to which it was
assigned CVE-2022-1348 [2].
They fixed it in [3] (3.20.0) and [4] (3.20.1).
Although I see you've pulled from debian/sid the patched version, I don't think
you have ever pushed those patches to jammy/devel.
May I request to release a package with the fix?
Thanks
[1]:
https://github.com/logrotate/logrotate/commit/f46d0bdfc9c53515c13880c501f4d2e1e7dd8b25
[2]: https://github.com/advisories/GHSA-4c4j-w8hm-rjgv
[3]:
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
[4]:
https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1348
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to logrotate in Ubuntu.
https://bugs.launchpad.net/bugs/1977689
Title:
Wrong error msg: "state file /var/lib/logrotate/status is world-
readable" although it is not
Status in logrotate package in Ubuntu:
Confirmed
Bug description:
Ubuntu 22.04
logrotate 3.19.0-1ubuntu1.1
Every hour, I receive this wrong message:
Subject: Cron >cd / && run-parts --report
/etc/cron.hourly
/etc/cron.hourly/logrotate:
error: state file /var/lib/logrotate/status is world-readable and thus can be
locked from other unprivileged users. Skipping lock acquisition...
despite:
# ls -al /var/lib/logrotate
total 40
drwxr-x--- 2 root root 4096 Jun 5 17:17 .
drwxr-xr-x 66 root root 4096 Jun 3 20:02 ..
-rw-r- 1 root root 31974 Jun 5 17:17 status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logrotate/+bug/1977689/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp