Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #868105,
regarding stretch-pu: package rkhunter/1.4.2-6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
868105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868105
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
This is an update for a security issue that is not going to get a DSA:
https://security-tracker.debian.org/tracker/CVE-2017-7480
Attached is the debdiff against the version in stable.
Francois
diff -Nru rkhunter-1.4.2/debian/changelog rkhunter-1.4.2/debian/changelog
--- rkhunter-1.4.2/debian/changelog 2016-07-03 17:29:37.000000000 -0700
+++ rkhunter-1.4.2/debian/changelog 2017-07-11 20:07:17.000000000 -0700
@@ -1,3 +1,10 @@
+rkhunter (1.4.2-6+deb9u1) stable; urgency=high
+
+ * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
+ it in the future (closes: #765895, #866677)
+
+ -- Francois Marier <franc...@debian.org> Wed, 12 Jul 2017 03:07:17 +0000
+
rkhunter (1.4.2-6) unstable; urgency=medium
* Fix logcheck rule ("1 seconds")
diff -Nru rkhunter-1.4.2/debian/patches/06_disable-updates.diff rkhunter-1.4.2/debian/patches/06_disable-updates.diff
--- rkhunter-1.4.2/debian/patches/06_disable-updates.diff 1969-12-31 16:00:00.000000000 -0800
+++ rkhunter-1.4.2/debian/patches/06_disable-updates.diff 2017-07-11 20:07:17.000000000 -0700
@@ -0,0 +1,44 @@
+Description: Disable all remote updates
+Author: Christoph Anton Mitterer <cales...@scientia.net>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895
+Forwarded: not-needed
+Last-Update: 2017-07-05
+
+--- a/files/rkhunter.conf
++++ b/files/rkhunter.conf
+@@ -104,7 +104,7 @@
+ #
+ # The default value is '1'.
+ #
+-#UPDATE_MIRRORS=1
++UPDATE_MIRRORS=0
+
+ #
+ # The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
+@@ -119,7 +119,7 @@
+ #
+ # The default value is '0'.
+ #
+-#MIRRORS_MODE=0
++MIRRORS_MODE=1
+
+ #
+ # Email a message to this address if a warning is found when the system is
+@@ -221,7 +221,7 @@ SCRIPTDIR=/usr/share/rkhunter/scripts
+ # The default value is the null string, indicating that all the language files
+ # will be updated.
+ #
+-#UPDATE_LANG=""
++UPDATE_LANG="en"
+
+ #
+ # This option specifies the log file pathname. The file will be created if it
+@@ -1131,7 +1131,7 @@ SCRIPTWHITELIST=/usr/sbin/adduser
+ #
+ # This option has no default value.
+ #
+-#WEB_CMD=""
++WEB_CMD="/bin/false"
+
+ #
+ # Set the following option to '1' if locking is to be used when rkhunter runs.
diff -Nru rkhunter-1.4.2/debian/patches/series rkhunter-1.4.2/debian/patches/series
--- rkhunter-1.4.2/debian/patches/series 2016-07-03 17:29:37.000000000 -0700
+++ rkhunter-1.4.2/debian/patches/series 2017-07-11 20:07:17.000000000 -0700
@@ -1,4 +1,5 @@
05_custom_conffile.diff
+06_disable-updates.diff
10_fix-man.diff
15_remove-empty-dir.diff
20_fix-ipcs-language.diff
--- End Message ---
--- Begin Message ---
Version: 9.1
Hi,
These bugs all relate to updates which were included in today's stretch
point release.
Regards,
Adam
--- End Message ---
