This bug was fixed in the package rsyslog - 8.2001.0-1ubuntu1 --------------- rsyslog (8.2001.0-1ubuntu1) focal; urgency=medium
[ Christian Ehrhardt ] * Merge with Debian unstable (LP: #1862762). Remaining changes: - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the syslog group can write into /var/log/. - debian/50-default.conf: set of default rules for syslog + debian/50-default.conf: separated default rules + d/rsyslog.install: install default rules + d/rsyslog.postrm: clear default rules on purge + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files + debian/control: Add Depends for ucf - debian/rsyslog.conf: + enable $RepeatedMsgReduction to avoid bloating the syslog file. + enable $KLogPermitNonKernelFacility for non-kernel klog messages + Run as rsyslog:rsyslog, set $FileOwner to syslog + Remove rules moved to 50-default.conf - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd + d/rsyslog.install: install apparmor rule + d/rules: use dh_apparmor to install profile before rsyslog is started + d/control: suggests apparmor (>= 2.3) + d/contrl: Build-Depends on dh-apparmor + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain, /etc/apparmor.d/disable and /etc/apparmor.d/local + d/usr.sbin.rsyslogd apparmor profile for rsyslogd + debian/rsyslog.preinst: disable profile on clean installs. - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message - Drop mmnormalize module, which depends on liblognorm from universe. + d/rules: drop --enable-mmnormalize + d/control: drop build dependency on liblognorm-dev - run as user syslog + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog. + d/rsyslog.postinst: Create syslog user and add it to adm group + d/rsyslog.postinst: Adapt privileges for /var/log + debian/control: Add Depends for adduser - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated log for boot-time kernel messages. - debian/clean: Delete some files left over by the test suite * Dropped Changes: - d/control: drop rsyslog-mongodb package from suggests [ This part was forgotten to be droped in 8.32.0-1ubuntu1 ] - d/rules: Build with --disable-silent-rules to get useful build logs. [ was a no-op as verbose is the default ] - d/rsyslog.postinst: Clean up temporary syslog.service symlink [ Formerly missing in Changelog, now gone in Debian as well ] [ Simon Deziel ] * d/usr.sbin.rsyslogd: apparmor: fix typo in rule for (LP: #1827253). rsyslog (8.2001.0-1) unstable; urgency=medium * New upstream version 8.2001.0 * Set PYTHON=/usr/bin/python3 in debian/rules * Cherry-pick upstream patches which fix a couple of imfile issues * Add missing test files rsyslog (8.1911.0-1) unstable; urgency=medium * New upstream version 8.1911.0 * Follow DEP-14 naming * Rebase patches * Bump Standards-Version to 4.4.1 rsyslog (8.1910.0-2) unstable; urgency=medium * Fix file handle leak in omfile (Closes: #935300) rsyslog (8.1910.0-1) unstable; urgency=medium * New upstream version 8.1910.0 - Support cross-platform build for mysql/mariadb (Closes: #932068) - Fix heap overflow in pmaixforwardedfrom module (CVE-2019-17041, Closes: #942067) - Fix heap overflow in pmcisconames module (CVE-2019-17042, Closes: #942065) * Use Python3 for running the test suite (Closes: #938417) * Enable imfile tests rsyslog (8.1908.0-1) unstable; urgency=medium * New upstream version 8.1908.0 rsyslog (8.1907.0-2) unstable; urgency=medium * Enable OpenSSL network stream driver. Split the driver into a separate package named rsyslog-openssl and update the Suggests accordingly to make it the preferred TLS driver. (Closes: #930816) rsyslog (8.1907.0-1) unstable; urgency=medium * New upstream version 8.1907.0 * Rebase patches rsyslog (8.1905.0-4) unstable; urgency=medium * Stop installing /etc/default/rsyslog and remove it on upgrades * Upload to unstable rsyslog (8.1905.0-3) experimental; urgency=medium * Fix leading double space in rsyslog startup messages (Closes: #907755) * Update URL in logcheck rule to use https instead of http (Closes: #927771) rsyslog (8.1905.0-2) experimental; urgency=medium * Bump Build-Depends on librelp to (>= 1.4.0) for relpEngineSetTLSLibByName() * Add Build-Depends on logrotate and net-tools. Those are required by the test suite: logrotate is used in the imfile-logrotate* tests and ifconfig in sndrcv_tls_anon_ipv6. rsyslog (8.1905.0-1) experimental; urgency=medium * New upstream version 8.1905.0 rsyslog (8.1904.0-1) experimental; urgency=medium * New upstream version 8.1904.0 * Rebase patches rsyslog (8.1903.0-4) experimental; urgency=medium * Drop dependency on lsb-base. It is only needed when booting with sysvinit and initscripts, but initscripts already Depends on lsb-base (see #864999). rsyslog (8.1903.0-3) experimental; urgency=medium * Revert "Enlarged msg offset types for bigger structured messages" Seems to break the test-suite on various architectures. rsyslog (8.1903.0-2) experimental; urgency=medium * Properly respect the nocheck build option rsyslog (8.1903.0-1) experimental; urgency=medium * New upstream version 8.1903.0 * Rebase patches - Drop Run-queue-encryption-tests-only-if-gcrypt-support-is-enab.patch, merged upstream. - Update Don-t-fail-test-suite-on-flaky-tests.patch to no longer treat daqueue-dirty-shutdown as flaky. This test should work reliably now. (Closes: #913984) * Always dump test-suite.log to stdout. In case of a flaky test which is skipped on failure we want to see the test output. * Remove migration code from pre-jessie -- Christian Ehrhardt <christian.ehrha...@canonical.com> Tue, 11 Feb 2020 16:25:29 +0100 ** Changed in: rsyslog (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17041 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17042 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1827253 Title: [apparmor] missing 'mr' on binary for usage on containers Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: Triaged Status in rsyslog source package in Disco: Triaged Status in rsyslog source package in Eoan: Triaged Bug description: [Impact] * rsyslog ships with a (Default disable) apparmor profile. * Security sensitive users are in general encouraged to enable such profiles but unfortunately due to slightly new behavior of the program the profile prevents its usage. * Allow the program to map/read its binary to get this working again [Test Case] 1) Create a 'eoan' container called rs1 here: lxc launch ubuntu-daily:e rs1 2) Enter the container lxc shell rs1 3) Enable apparmor profile rm /etc/apparmor.d/disable/usr.sbin.rsyslogd apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd systemctl restart rsyslog 4) notice rsyslog failed to start systemctl status rsyslog [Regression Potential] * This is just opening up the apparmor profile a bit. Therefore the only regression it could cause IMHO is a security issue. But then what it actually allows is reading (not writing!) its own binary which should be very safe. * Thinking further it came to my mind that package updates (independent to the change) might restart services and that means if there is any issue e.g. in a local config that worked but now fails (not by this change but in general) then the upgrade will not cause, but trigger this. This is a general regression risk for any upload, but in this case worth to mention as it is about log handling - which if broken - makes large scale systems hard to debug. [Other Info] * n/a --- Issue description: Enabling the rsyslog (disabled by default) Apparmor profile causes rsyslog to fail to start when running *inside a container*. Steps to reproduce: 1) Create a 'eoan' container called rs1 here: lxc launch ubuntu-daily:e rs1 2) Enter the container lxc shell rs1 3) Enable apparmor profile rm /etc/apparmor.d/disable/usr.sbin.rsyslogd apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd systemctl restart rsyslog 4) notice rsyslog failed to start systemctl status rsyslog Workaround: echo ' /usr/sbin/rsyslogd mr,' >> /etc/apparmor.d/local/usr.sbin.rsyslogd apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd systemctl restart rsyslog Additional information: root@rs1:~# uname -a Linux rs1 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@rs1:~# lsb_release -rd Description: Ubuntu Eoan EANIMAL (development branch) Release: 19.10 root@rs1:~# dpkg -l| grep -wE 'apparmor|rsyslog' ii apparmor 2.13.2-9ubuntu6 amd64 user-space parser utility for AppArmor ii rsyslog 8.32.0-1ubuntu7 amd64 reliable system and kernel logging daemon ProblemType: Bug DistroRelease: Ubuntu 19.10 Package: rsyslog 8.32.0-1ubuntu7 ProcVersionSignature: Ubuntu 4.15.0-48.51-generic 4.15.18 Uname: Linux 4.15.0-48-generic x86_64 ApportVersion: 2.20.10-0ubuntu27 Architecture: amd64 Date: Wed May 1 17:36:29 2019 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: rsyslog UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1827253/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp