Bug#970349: marked as done (buster-pu: package icinga2/2.10.3-2+deb10u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#970349: marked as done (buster-pu: package icinga2/2.10.3-2+deb10u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Sep 2020 10:40:06 +0000
Message-id: <[🔎] handler.970349.D970349.160111664926633.ackdone@bugs.debian.org>
Reply-to: 970349@bugs.debian.org
References: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk> <[🔎] 160014837685.3413634.3075860595593855572.reportbug@osiris.linuxminded.xs4all.nl>

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970349,
regarding buster-pu: package icinga2/2.10.3-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970349
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package icinga2/2.10.3-2+deb10u1
From: Bas Couwenberg <sebastic@xs4all.nl>
Date: Tue, 15 Sep 2020 07:39:36 +0200
Message-id: <[🔎] 160014837685.3413634.3075860595593855572.reportbug@osiris.linuxminded.xs4all.nl>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

icinga2 is buster is affected by CVE-2020-14004 as reported in #970252.

As it was deemed no-dsa it should be fixed via stable update.

Kind Regards,

Bas

diff -Nru icinga2-2.10.3/debian/changelog icinga2-2.10.3/debian/changelog
--- icinga2-2.10.3/debian/changelog	2019-03-01 12:18:30.000000000 +0100
+++ icinga2-2.10.3/debian/changelog	2020-09-14 06:47:22.000000000 +0200
@@ -1,3 +1,12 @@
+icinga2 (2.10.3-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Update branch in gbp.conf & Vcs-Git URL.
+  * Add upstream patch to fix CVE-2020-14004.
+    (closes: #970252)
+
+ -- Bas Couwenberg <sebastic@debian.org>  Mon, 14 Sep 2020 06:47:22 +0200
+
 icinga2 (2.10.3-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru icinga2-2.10.3/debian/control icinga2-2.10.3/debian/control
--- icinga2-2.10.3/debian/control	2018-12-25 23:27:26.000000000 +0100
+++ icinga2-2.10.3/debian/control	2020-09-14 06:47:22.000000000 +0200
@@ -29,7 +29,7 @@
                po-debconf
 Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-icinga2
-Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git
+Vcs-Git: https://salsa.debian.org/nagios-team/pkg-icinga2.git -b buster
 Homepage: https://icinga.com
 
 Package: icinga2
diff -Nru icinga2-2.10.3/debian/gbp.conf icinga2-2.10.3/debian/gbp.conf
--- icinga2-2.10.3/debian/gbp.conf	2018-12-12 08:10:41.000000000 +0100
+++ icinga2-2.10.3/debian/gbp.conf	2020-09-14 06:47:22.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = buster
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch
--- icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch	1970-01-01 01:00:00.000000000 +0100
+++ icinga2-2.10.3/debian/patches/0001-prepare-dirs-combine-mkdir-and-chmod.patch	2020-09-14 06:47:22.000000000 +0200
@@ -0,0 +1,23 @@
+Description: prepare-dirs: combine mkdir and chmod
+ Fixes CVE-2020-14004
+Author: "Alexander A. Klimov" <alexander.klimov@icinga.com>
+Origin: https://github.com/Icinga/icinga2/commit/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6
+Bug: https://github.com/Icinga/icinga2/pull/8046
+
+--- a/etc/initsystem/prepare-dirs.cmake
++++ b/etc/initsystem/prepare-dirs.cmake
+@@ -26,12 +26,10 @@ getent group $ICINGA2_GROUP >/dev/null 2
+ getent group $ICINGA2_COMMAND_GROUP >/dev/null 2>&1 || (echo "Icinga command group '$ICINGA2_COMMAND_GROUP' does not exist. Exiting." && exit 6)
+ 
+ if [ ! -e "$ICINGA2_INIT_RUN_DIR" ]; then
+-	mkdir "$ICINGA2_INIT_RUN_DIR"
+-	mkdir "$ICINGA2_INIT_RUN_DIR"/cmd
++	mkdir -m 755 "$ICINGA2_INIT_RUN_DIR"
++	mkdir -m 2750 "$ICINGA2_INIT_RUN_DIR"/cmd
+ fi
+ 
+-chmod 755 "$ICINGA2_INIT_RUN_DIR"
+-chmod 2750 "$ICINGA2_INIT_RUN_DIR"/cmd
+ chown -R $ICINGA2_USER:$ICINGA2_COMMAND_GROUP "$ICINGA2_INIT_RUN_DIR"
+ 
+ test -e "$ICINGA2_LOG_DIR" || install -m 750 -o $ICINGA2_USER -g $ICINGA2_COMMAND_GROUP -d "$ICINGA2_LOG_DIR"
diff -Nru icinga2-2.10.3/debian/patches/series icinga2-2.10.3/debian/patches/series
--- icinga2-2.10.3/debian/patches/series	2019-03-01 12:17:29.000000000 +0100
+++ icinga2-2.10.3/debian/patches/series	2020-09-14 06:47:22.000000000 +0200
@@ -1,3 +1,4 @@
 21_config_changes
 postgres-checkcommand.patch
 comparepasswords_issafe.patch
+0001-prepare-dirs-combine-mkdir-and-chmod.patch

--- End Message ---

--- Begin Message ---

To: 947464-done@bugs.debian.org, 949826-done@bugs.debian.org, 953614-done@bugs.debian.org, 961843-done@bugs.debian.org, 965334-done@bugs.debian.org, 967995-done@bugs.debian.org, 967996-done@bugs.debian.org, 968037-done@bugs.debian.org, 968296-done@bugs.debian.org, 968502-done@bugs.debian.org, 968515-done@bugs.debian.org, 968548-done@bugs.debian.org, 968723-done@bugs.debian.org, 968846-done@bugs.debian.org, 969066-done@bugs.debian.org, 969163-done@bugs.debian.org, 969172-done@bugs.debian.org, 969190-done@bugs.debian.org, 969272-done@bugs.debian.org, 969348-done@bugs.debian.org, 969349-done@bugs.debian.org, 969366-done@bugs.debian.org, 969369-done@bugs.debian.org, 969706-done@bugs.debian.org, 969912-done@bugs.debian.org, 970096-done@bugs.debian.org, 970098-done@bugs.debian.org, 970132-done@bugs.debian.org, 970239-done@bugs.debian.org, 970241-done@bugs.debian.org, 970296-done@bugs.debian.org, 970307-done@bugs.debian.org, 970311-done@bugs.debian.org, 970349-done@bugs.debian.org, 970387-done@bugs.debian.org, 970424-done@bugs.debian.org, 970427-done@bugs.debian.org, 970549-done@bugs.debian.org, 970563-done@bugs.debian.org, 970564-done@bugs.debian.org, 970569-done@bugs.debian.org, 970583-done@bugs.debian.org, 970584-done@bugs.debian.org

Subject: Closing bugs for fixes included in 10.6 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Sep 2020 11:36:30 +0100

Message-id: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#970349: buster-pu: package icinga2/2.10.3-2+deb10u1
  - From: Bas Couwenberg <sebastic@xs4all.nl>

Prev by Date: Bug#970241: marked as done (buster-pu: package gnome-weather/3.26.0-6~deb10u1)
Next by Date: Bug#970307: marked as done (buster-pu: package node-mysql/2.16.0-1+deb10u1)
Previous by thread: Processed: icinga2 2.10.3-2+deb10u1 flagged for acceptance
Next by thread: Bug#970387: buster-pu: package cargo/0.43.1-3~deb10u1
Index(es):
- Date
- Thread