Comment 2 for bug 414347

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logrotate - 3.7.8-4ubuntu1

---------------
logrotate (3.7.8-4ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes: LP: #414347
    - debian/control: Drop mailx to Suggests for Ubuntu; it's only used
      on request, and we don'c configure an MTA by default.

logrotate (3.7.8-4) unstable; urgency=high

  * New patch:
    + security-388608.patch: A race condition in the creation of
      compressed and copied log files makes it possible to overwrite
      arbitrary files by generating a link or symlink during a window
      of opportunity between logrotate renaming a log file and creating
      the copy of the next. (Closes: #388608) Once again, many thanks to
      Florian Zumbiehl for forcing me to think.
  * Uploading to unstable.

logrotate (3.7.8-3) experimental; urgency=low

  * New patch:
    + nofollow.patch: If a logfile is a symlink, it may be read when
      being compressed, being copied (copy, copytruncate) or mailed.
      Secure data (eg. password files) may be exposed. Thanks to
      Florian Zumbiehl for getting me thinking about this one.

logrotate (3.7.8-2) experimental; urgency=low

  * New patch:
    + create-388608.patch: Really squash the race condition for the
      creation of compressed log files and the creation of new ones.
      (Closes: 388608)

logrotate (3.7.8-1) experimental; urgency=low

  * New upstream release:
    - do not exit on status file errors
    - limit config file inclusion nesting
    - use hashes for status file handling (patch by Petr Tesarik
      <email address hidden> and Leonardo Chiquitto)
    - dateformat to allow unixtime (patch by Sami Kerola <email address hidden>)
  * Upstream has taken some of our patches:
    - manpage.patch: partial uptake, updated
    - man-189243.patch: fully applied upstream
    - man-sizetypo.patch: fully applied upstream
    - man-overriden.patch: fully applied upstream
  * Added a watch file (but upstream has a redirect to https).
  * Upstream has also fixed createOutputFile to be more secure
    (Closes: #388608)
  * New Debian patch:
    + sharedscripts-519432.patch: Prerotate and postrotate scripts get the
      list of rotated files passed to them as arguments. (Closes: #519432)
    + chown-484762.patch: If running as non-root, warn but don't abort if
      we can't chown the compressed log file. (Closes: #484762)
  * Update Standards-Version to 3.8.2. (No changes)

 -- Bhavani Shankar <email address hidden> Sun, 16 Aug 2009 12:40:24 +0530