Please merge logrotate 3.7.8-4(main) from debian unstable(main)

Bug #414347 reported by Bhavani Shankar on 2009-08-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
logrotate (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: logrotate

Debian has a new version to be merged

 logrotate (3.7.8-4) unstable; urgency=high

   * New patch:
     + security-388608.patch: A race condition in the creation of
       compressed and copied log files makes it possible to overwrite
       arbitrary files by generating a link or symlink during a window
       of opportunity between logrotate renaming a log file and creating
       the copy of the next. (Closes: #388608) Once again, many thanks to
       Florian Zumbiehl for forcing me to think.
   * Uploading to unstable.

 -- Paul Martin <email address hidden> Fri, 14 Aug 2009 23:22:04 +0100
logrotate (3.7.8-3) experimental; urgency=low

   * New patch:
     + nofollow.patch: If a logfile is a symlink, it may be read when
       being compressed, being copied (copy, copytruncate) or mailed.
       Secure data (eg. password files) may be exposed. Thanks to
       Florian Zumbiehl for getting me thinking about this one.

 -- Paul Martin <email address hidden> Thu, 06 Aug 2009 16:35:41 +0100
logrotate (3.7.8-2) experimental; urgency=low

   * New patch:
     + create-388608.patch: Really squash the race condition for the
       creation of compressed log files and the creation of new ones.
       (Closes: 388608)

 -- Paul Martin <email address hidden> Tue, 04 Aug 2009 21:16:03 +0100
logrotate (3.7.8-1) experimental; urgency=low

   * New upstream release:
     - do not exit on status file errors
     - limit config file inclusion nesting
     - use hashes for status file handling (patch by Petr Tesarik
       <email address hidden> and Leonardo Chiquitto)
     - dateformat to allow unixtime (patch by Sami Kerola <email address hidden>)
   * Upstream has taken some of our patches:
     - manpage.patch: partial uptake, updated
     - man-189243.patch: fully applied upstream
     - man-sizetypo.patch: fully applied upstream
     - man-overriden.patch: fully applied upstream
   * Added a watch file (but upstream has a redirect to https).
   * Upstream has also fixed createOutputFile to be more secure
     (Closes: #388608)
   * New Debian patch:
     + sharedscripts-519432.patch: Prerotate and postrotate scripts get the
       list of rotated files passed to them as arguments. (Closes: #519432)
     + chown-484762.patch: If running as non-root, warn but don't abort if
       we can't chown the compressed log file. (Closes: #484762)
   * Update Standards-Version to 3.8.2. (No changes)

 -- Paul Martin <email address hidden> Tue, 04 Aug 2009 15:18:18 +0100

Related branches

Bhavani Shankar (bhavi) wrote :
Changed in logrotate (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logrotate - 3.7.8-4ubuntu1

---------------
logrotate (3.7.8-4ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes: LP: #414347
    - debian/control: Drop mailx to Suggests for Ubuntu; it's only used
      on request, and we don'c configure an MTA by default.

logrotate (3.7.8-4) unstable; urgency=high

  * New patch:
    + security-388608.patch: A race condition in the creation of
      compressed and copied log files makes it possible to overwrite
      arbitrary files by generating a link or symlink during a window
      of opportunity between logrotate renaming a log file and creating
      the copy of the next. (Closes: #388608) Once again, many thanks to
      Florian Zumbiehl for forcing me to think.
  * Uploading to unstable.

logrotate (3.7.8-3) experimental; urgency=low

  * New patch:
    + nofollow.patch: If a logfile is a symlink, it may be read when
      being compressed, being copied (copy, copytruncate) or mailed.
      Secure data (eg. password files) may be exposed. Thanks to
      Florian Zumbiehl for getting me thinking about this one.

logrotate (3.7.8-2) experimental; urgency=low

  * New patch:
    + create-388608.patch: Really squash the race condition for the
      creation of compressed log files and the creation of new ones.
      (Closes: 388608)

logrotate (3.7.8-1) experimental; urgency=low

  * New upstream release:
    - do not exit on status file errors
    - limit config file inclusion nesting
    - use hashes for status file handling (patch by Petr Tesarik
      <email address hidden> and Leonardo Chiquitto)
    - dateformat to allow unixtime (patch by Sami Kerola <email address hidden>)
  * Upstream has taken some of our patches:
    - manpage.patch: partial uptake, updated
    - man-189243.patch: fully applied upstream
    - man-sizetypo.patch: fully applied upstream
    - man-overriden.patch: fully applied upstream
  * Added a watch file (but upstream has a redirect to https).
  * Upstream has also fixed createOutputFile to be more secure
    (Closes: #388608)
  * New Debian patch:
    + sharedscripts-519432.patch: Prerotate and postrotate scripts get the
      list of rotated files passed to them as arguments. (Closes: #519432)
    + chown-484762.patch: If running as non-root, warn but don't abort if
      we can't chown the compressed log file. (Closes: #484762)
  * Update Standards-Version to 3.8.2. (No changes)

 -- Bhavani Shankar <email address hidden> Sun, 16 Aug 2009 12:40:24 +0530

Changed in logrotate (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers