Please merge logrotate 3.7.8-4(main) from debian unstable(main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logrotate (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: logrotate
Debian has a new version to be merged
logrotate (3.7.8-4) unstable; urgency=high
* New patch:
+ security-
compressed and copied log files makes it possible to overwrite
arbitrary files by generating a link or symlink during a window
of opportunity between logrotate renaming a log file and creating
the copy of the next. (Closes: #388608) Once again, many thanks to
Florian Zumbiehl for forcing me to think.
* Uploading to unstable.
-- Paul Martin <email address hidden> Fri, 14 Aug 2009 23:22:04 +0100
logrotate (3.7.8-3) experimental; urgency=low
* New patch:
+ nofollow.patch: If a logfile is a symlink, it may be read when
being compressed, being copied (copy, copytruncate) or mailed.
Secure data (eg. password files) may be exposed. Thanks to
Florian Zumbiehl for getting me thinking about this one.
-- Paul Martin <email address hidden> Thu, 06 Aug 2009 16:35:41 +0100
logrotate (3.7.8-2) experimental; urgency=low
* New patch:
+ create-
creation of compressed log files and the creation of new ones.
(Closes: 388608)
-- Paul Martin <email address hidden> Tue, 04 Aug 2009 21:16:03 +0100
logrotate (3.7.8-1) experimental; urgency=low
* New upstream release:
- do not exit on status file errors
- limit config file inclusion nesting
- use hashes for status file handling (patch by Petr Tesarik
<email address hidden> and Leonardo Chiquitto)
- dateformat to allow unixtime (patch by Sami Kerola <email address hidden>)
* Upstream has taken some of our patches:
- manpage.patch: partial uptake, updated
- man-189243.patch: fully applied upstream
- man-sizetypo.patch: fully applied upstream
- man-overriden.
* Added a watch file (but upstream has a redirect to https).
* Upstream has also fixed createOutputFile to be more secure
(Closes: #388608)
* New Debian patch:
+ sharedscripts-
list of rotated files passed to them as arguments. (Closes: #519432)
+ chown-484762.patch: If running as non-root, warn but don't abort if
we can't chown the compressed log file. (Closes: #484762)
* Update Standards-Version to 3.8.2. (No changes)
-- Paul Martin <email address hidden> Tue, 04 Aug 2009 15:18:18 +0100
This bug was fixed in the package logrotate - 3.7.8-4ubuntu1
---------------
logrotate (3.7.8-4ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes: LP: #414347
- debian/control: Drop mailx to Suggests for Ubuntu; it's only used
on request, and we don'c configure an MTA by default.
logrotate (3.7.8-4) unstable; urgency=high
* New patch: 388608. patch: A race condition in the creation of
+ security-
compressed and copied log files makes it possible to overwrite
arbitrary files by generating a link or symlink during a window
of opportunity between logrotate renaming a log file and creating
the copy of the next. (Closes: #388608) Once again, many thanks to
Florian Zumbiehl for forcing me to think.
* Uploading to unstable.
logrotate (3.7.8-3) experimental; urgency=low
* New patch:
+ nofollow.patch: If a logfile is a symlink, it may be read when
being compressed, being copied (copy, copytruncate) or mailed.
Secure data (eg. password files) may be exposed. Thanks to
Florian Zumbiehl for getting me thinking about this one.
logrotate (3.7.8-2) experimental; urgency=low
* New patch: 388608. patch: Really squash the race condition for the
+ create-
creation of compressed log files and the creation of new ones.
(Closes: 388608)
logrotate (3.7.8-1) experimental; urgency=low
* New upstream release: patch: fully applied upstream 519432. patch: Prerotate and postrotate scripts get the
- do not exit on status file errors
- limit config file inclusion nesting
- use hashes for status file handling (patch by Petr Tesarik
<email address hidden> and Leonardo Chiquitto)
- dateformat to allow unixtime (patch by Sami Kerola <email address hidden>)
* Upstream has taken some of our patches:
- manpage.patch: partial uptake, updated
- man-189243.patch: fully applied upstream
- man-sizetypo.patch: fully applied upstream
- man-overriden.
* Added a watch file (but upstream has a redirect to https).
* Upstream has also fixed createOutputFile to be more secure
(Closes: #388608)
* New Debian patch:
+ sharedscripts-
list of rotated files passed to them as arguments. (Closes: #519432)
+ chown-484762.patch: If running as non-root, warn but don't abort if
we can't chown the compressed log file. (Closes: #484762)
* Update Standards-Version to 3.8.2. (No changes)
-- Bhavani Shankar <email address hidden> Sun, 16 Aug 2009 12:40:24 +0530