Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please approve sysstat 12.0.3, which is upstream bugfix release, for uploading to unstable and migrating to testing. The upstream release contains fix for CVE-2018-19416 [1] and CVE-2018-19517 [2]; however the patch [3] is not easily applicable to the version in buster (12.0.1-1), because it depends on another patch [4], which contains a fix for a backward compatibility issue introduced in 12.0.1. Apart from the two quite a big patches, the new upstream a few smaller fixes, like the one related to a fix for infinite loop [5]. In my opinion it should be quite safe to allow it for buster, most probably safer than trying to backport the patch [3] to 12.0.1 with getting rid of dependency on [4]. The debian packaging part contains fixes for two small regressions against current stretch version of sysstat: one is for init script failure when systemd is not used [6], and another one is for unnecessary execution of systemd service file during upgrades. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914384 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914553 [3] https://github.com/sysstat/sysstat/commit/bf203d645110ecba8ec3a37874b577ce40a2788b [4] https://github.com/sysstat/sysstat/commit/87bce40bc02ff77edee44a7b9d8233ae6a056012 [5] https://github.com/sysstat/sysstat/commit/45de3c27697d9c1c4d8feb12c865d1fe53ce45bf [6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924864 I uploaded systat 12.0.3-1 to experimental a few days ago with the following changelog: sysstat (12.0.3-1) experimental; urgency=medium * New upstream stable version: + sadf: Fix out of bound reads security issues (CVE-2018-19416 and CVE-2018-19517, closes: #914384, #914553); + sadf: Fix possible infinite loop; + sar: Fortify remap_struct() function to prevent possible crashes on reading binary datafiles generated by older versions of sysstat. * systat.init.d: revert a change introduced in 11.5.5-1, as it caused the start script to fail to execute the command that adds "Linux Restart" marker into statistics file on systems on which systemd is not used. Thanks to Georgios Zarkadas for noticing this (closes: #924864). * debian/rules: replace deprecated dh_systemd_start by dh_installsystemd, as suggested by lintian; the former command wass ignored by debhelper v11, what in turn resulted in the `--no-start' option being ignored, and the restart markers were incorrectly added during package upgrades. -- Robert Luberda <rob...@debian.org> Sun, 17 Mar 2019 23:09:46 +0100 The debdiff against buster is attached. If you think this version would be OK for buster, then I can upload -2 to unstable, with no other changes, except for Debian changelog entry. Otherwise please let me know what would you approve, and what I should do: - backport patch [3] only (but I don't think this would be safer); - backport both patches, i.e. [3], and [4] (but those are the biggest ones); - something else. Regards, robert -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (990, 'unstable-debug'), (990, 'stable-updates'), (990, 'unstable'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
sysstat_12.0.3-1.diff.gz
Description: application/gzip
signature.asc
Description: PGP signature
